TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

[email protected] (The Hacker News) · 2 days ago · Read original ↗

ATT&CK techniques detected

4 predictions
T1219Remote Access Tools
97%
"phishing campaign hits 80 + orgs using simplehelp and screenconnect rmm tools an active phishing campaign has been observed targeting multiple vectors since at least april 2025, with legitimate remote monitoring and management ( rmm ) software as a way to establish persistent rem…"
T1219Remote Access Tools
90%
"if the simplehelp channel is taken down. " the deployed simplehelp version ( 5. 0. 1 ) provides a comprehensive remote administration capability set, " the researchers said. " the victim organization is left in a state where the attacker can return at any time, execute commands s…"
T1219Remote Access Tools
82%
"user account on the legitimate hosting server to stage the binary. as soon as the victim opens the jwrapper - packaged windows executable, thinking it ' s a document, the malware installs itself as a windows service with safe mode persistence, makes sure it ' s running by means o…"
T1566.002Spearphishing Link
73%
"said in a report shared with the hacker news. setting aside the fact that the use of legitimate rmm tools can evade detection, the deployment of both simplehelp and screenconnect indicates an attempt to create a " redundant dual - channel access architecture " that enables contin…"

Summary

An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters