Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

2026-05-04

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

An active phishing campaign codenamed VENOMOUS#HELPER has targeted over 80 organizations using legitimate RMM tools for persistent remote access.

•The attack begins with phishing emails impersonating the U.S. Social Security Administration, directing victims to download a malicious executable disguised as an SSA document.
•Attackers deploy SimpleHelp RMM as a Windows service with persistence capabilities and self-healing watchdog mechanism that automatically restarts if terminated.
•A redundant dual-channel architecture uses both SimpleHelp and ScreenConnect to maintain access even if one tool is detected and blocked.
•Legitimate executables like elev_win.exe are abused to escalate privileges to SYSTEM level, allowing full desktop control and lateral movement.
•

Related Articles