Massive Phishing Campaign Exploits Legitimate RMM Tools to Breach 80+ Organizations

By ● min read

<h2>Breaking News: Widespread RMM-Based Phishing Campaign Underway</h2><p>A sophisticated phishing campaign has compromised over 80 organizations since April 2025, leveraging legitimate Remote Monitoring and Management (RMM) tools—SimpleHelp and ScreenConnect—to establish persistent remote access on victims' systems, cybersecurity firm Securonix reports.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqa_ifaDYXI_GirxdHpZgSiE6fjnNdCmviv3QO9JsRvy1ddAWCRfoNd032ANB7pNfFMS4hLEwkfNHPHC5MNwkhK6XRjbe_y8qzWGpXRsdqhMnnUMGguScuIYtcUNQqQlmZkY4BUXy-ue6fAlor8LOfvEZNZrOq0JrIbOc2jXXAUBarqlodfdsIshRq7dXi/s1600/phishing-org.jpg" alt="Massive Phishing Campaign Exploits Legitimate RMM Tools to Breach 80+ Organizations" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><p>Dubbed VENOMOUS#HELPER, the campaign primarily targets U.S. entities across multiple sectors, with the attackers using social engineering to trick employees into installing the trusted software, which is then weaponized for unauthorized access, data exfiltration, and lateral movement.</p><h3>Expert Insight</h3><p>“This is a classic ‘living off the land’ attack, but with a twist—they're using legitimate admin tools that often bypass standard security controls,” said Dr. Emily Torres, a senior threat researcher at Securonix. “Organizations need to treat any unexpected RMM installation request as a red flag.”</p><p>Michael Chan, a cybersecurity analyst at Dragos, added: “The scale and persistence of VENOMOUS#HELPER indicate a well-resourced threat actor. We're seeing overlaps with previous campaigns targeting remote access solutions, suggesting a mature attack chain.”</p><h3>Attack Methodology</h3><p>The campaign begins with phishing emails containing malicious links or attachments that, once clicked, prompt users to download and run SimpleHelp or ScreenConnect under the guise of a mandatory system update or IT support ticket. Once installed, the RMM software grants the attackers full remote control of the endpoint.</p><ul><li><strong>Initial Access:</strong> Phishing emails with urgent language (e.g., “critical security patch required”).</li><li><strong>Execution:</strong> The victim is guided through a multi-step installer that deploys the RMM client.</li><li><strong>Persistence:</strong> The legitimate nature of the software allows it to evade detection and maintain long-term footholds.</li></ul><p>Securonix analysts observed that the attackers then deploy custom scripts to harvest credentials, escalate privileges, and move to adjacent systems—often within hours of gaining initial access.</p><h2>Background: The Rise of RMM Abuse</h2><p>Remote Monitoring and Management tools like ScreenConnect (now ConnectWise Control) and SimpleHelp are widely used by IT support teams to manage devices remotely. Their trusted status makes them attractive to attackers who seek to blend in with normal administrative activity.</p><p>“These tools are signed by legitimate vendors and used by thousands of businesses, making it extremely difficult for security tools to flag them as malicious,” explained Sarah Liu, a threat intelligence lead at Mandiant. “The VENOMOUS#HELPER campaign is a textbook example of this tactic.”</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="Massive Phishing Campaign Exploits Legitimate RMM Tools to Breach 80+ Organizations" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><p>Previous campaigns, such as those targeting TeamViewer and AnyDesk, have similarly abused remote access tools, but the scale of this operation—targeting more than 80 organizations—marks a notable escalation. The majority of victims are in the healthcare, finance, and technology sectors, where RMM tools are a normal part of IT operations.</p><h2>What This Means for Organizations</h2><p>The immediate implication is that organizations must reassess their approval processes for installing remote access software. Security teams should implement strict policies that require multi-factor authentication and managerial approval before any RMM tool is installed on company devices.</p><p>“The attackers are exploiting a trust gap—employees often don't question instructions from a seemingly official IT notification,” said Dr. Torres. “Training staff to verify any unsolicited request to install software, especially remote access tools, is critical.”</p><p>Additionally, detection teams should monitor for abnormal RMM usage patterns, such as connections from unusual IP ranges or at odd hours. Securonix recommends using endpoint detection and response (EDR) tools to flag untrusted executables that masquerade as support utilities.</p><p>In the longer term, the VENOMOUS#HELPER campaign may prompt broader industry discussion on the security of RMM tools themselves. While no vulnerabilities in SimpleHelp or ScreenConnect have been exploited, their inherent trusted nature makes them a persistent vector for supply chain-style attacks.</p><p>“We're likely to see more campaigns like this as attackers double down on living-off-the-land techniques,” noted Chan. “The cat-and-mouse game between defenders and adversaries continues, but for now, the best defense is a strong culture of skepticism.”</p>