Phishing Campaign VENOMOUS#HELPER: SimpleHelp and ScreenConnect in 80+ Organizations

Colleagues, a security alert: the VENOMOUS#HELPER campaign leverages legitimate RMM tools SimpleHelp and ScreenConnect and has impacted over 80 organizations, primarily in the US.
- Initial vector: email impersonating the SSA, leading to a JWrapper‑packed .exe downloaded from a compromised website.
- SimpleHelp is installed as a service with SeDebug and configured to autostart; if blocked, attackers deploy ScreenConnect as a fallback.
- The operation uses signed software and a 'dual‑channel' architecture to maintain persistent, covert access.
Why it matters: legitimate RMMs hinder detection and enable operator re‑entry.
Recommendations: verify RMM deployments, privilege controls and inbound mail handling.
How do you plan to respond?
#cybersecurity #phishing #RMM


Latest comments
No comments yet.