Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools — Ravie LakshmananMay 04, 2026Network Security / Endpoint Security [https://blo
What’s new: An active phishing campaign, codenamed VENOMOUS#HELPER, has targeted over 80 organizations, primarily in the U.S., using compromised Remote Monitoring and Management (RMM) tools, SimpleHelp and ScreenConnect, to establish persistent remote access. The campaign began in April 2025 and employs phishing emails impersonating the U.S. Social Security Administration (SSA) to trick victims into downloading malicious software.
Who’s affected
Over 80 organizations, mostly located in the United States, have been impacted by this phishing campaign. The attackers utilize legitimate RMM tools to bypass security defenses.
What to do
- Implement email filtering to detect and block phishing attempts, especially those impersonating government agencies.
- Educate employees on recognizing phishing emails and the risks of downloading attachments from unknown sources.
- Monitor for unauthorized installations of RMM tools and ensure that only approved software is used within the organization.
- Regularly update and patch systems to mitigate vulnerabilities that could be exploited by attackers.
