Close Menu
Uncategorized

Cyberattack Targets 80+ Organizations Through RMM Tools

Staff WriterBy No Comments2 Mins Read4 Views

Fast Facts

  1. A phishing campaign called VENOMOUS#HELPER has targeted over 80 organizations since April 2025, using legitimate RMM tools to establish persistent access and evade detection.
  2. Attackers employ customized SimpleHelp and ScreenConnect RMMs to create a dual-channel architecture, ensuring continuous control even if one channel is blocked.
  3. The initial infection is via a phishing email impersonating the U.S. Social Security Administration, directing victims to a compromised Mexican website to download malicious payloads.
  4. The malware installs as a persistent Windows service, gains system privileges, and uses remote access tools to maintain stealthy, ongoing control over compromised systems.

Phishing Campaign Sparks Widespread Concerns

Recently, a new and troubling phishing campaign has emerged, targeting over 80 organizations mainly in the U.S. Since April 2025, cybercriminals have been using emails that appear to come from trusted sources, like the U.S. Social Security Administration (SSA). These emails trick recipients into clicking links that seem legitimate. Once clicked, the links lead to compromised websites, which secretly deliver malicious software. This campaign, called VENOMOUS#HELPER, overlaps with older hacker groups and is believed to be financially motivated. Researchers have linked it to cybercriminals aiming to gain remote access and then possibly launch ransomware attacks. The use of familiar remote tools makes it easier for these attackers to remain undetected while controlling infected systems.

How the Attackers Use Trusted Software to Evade Detection

The key to this attack is the use of legitimate remote monitoring and management (RMM) tools, like SimpleHelp and ScreenConnect. These software programs, normally used by IT teams, are exploited to hide malicious actions. Once infected, the malware installs itself as a Windows service that sustains even when attacked. It constantly monitors security programs and user activity to stay hidden. The infected system then provides a backdoor, allowing hackers to access the machine remotely, inject commands, and control it silently. By using both SimpleHelp and ScreenConnect at the same time, attackers create a backup plan if one channel is blocked. This layered approach shows how hackers adapt to security measures and use trusted tools to carry out their goals.

Discover More Technology Insights

Learn how the Internet of Things (IoT) is transforming everyday life.

Access comprehensive resources on technology by visiting Wikipedia.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.