HackWatch
! High riskPH Phishing

Phishing Campaign Exploits SimpleHelp and ScreenConnect RMM Tools to Target Over 80 Organizations

Verification-lure coverage focused on fake messages, cloned pages and account defense steps.

Phishing signal detected. Verify the sender independently, avoid login links and rotate credentials if any code or password was exposed.
Phishing Campaign Exploits SimpleHelp and ScreenConnect RMM Tools to Target Over 80 Organizations - HackWatch phishing alert image
HackWatch phishing alert image for: Phishing Campaign Exploits SimpleHelp and ScreenConnect RMM Tools to Target Over 80 Organizations
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: May 04, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 04, 2026 for infrastructure relevance, source consistency and whether the remediation advice would make sense to an administrator responsible for live routers and servers. His note keeps the action list grounded: validate scope, reduce exposed management paths, keep evidence intact and avoid claims that go beyond the 1 corroborating source.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

The VENOMOUS#HELPER phishing campaign has compromised over 80 mainly U.S.-based organizations by exploiting legitimate Remote Monitoring and Management software, SimpleHelp and ScreenConnect, to gain persistent system access. Active since April 2025, the attackers use phishing to deploy these trusted tools and evade detection.

WASHINGTON, May 4, 2026, 18:15 UTC – More than 80 organizations, mostly in the United States, have been breached by a phishing campaign that abuses legitimate Remote Monitoring and Management (RMM) platforms to maintain persistent access, security researchers reported.

The campaign, identified as VENOMOUS#HELPER, has been active since at least April 2025. It targets a range of sectors by leveraging SimpleHelp and ScreenConnect software, tools normally used by IT departments to remotely manage devices.

Attackers send phishing emails that prompt users to install or activate these RMM applications. Once operational, the software provides continuous remote control over infected systems, allowing threat actors to evade traditional security measures.

This tactic is effective because it exploits trusted software, reducing the chance of detection by endpoint protection and network monitoring tools.

Researchers at Securonix noted overlaps between VENOMOUS#HELPER and other related attack groups, indicating a potentially coordinated campaign against enterprise environments.

Organizations employing SimpleHelp or ScreenConnect are advised to audit their RMM deployments immediately. Reviewing access logs and disabling unauthorized or unused instances can help restrict attacker persistence.

The campaign highlights the growing risk of legitimate IT management tools being weaponized. Security teams should enforce strict access controls, enable multi-factor authentication, and monitor RMM activity continuously.

While the extent of data theft or damage linked to VENOMOUS#HELPER remains uncertain, the use of persistent remote access tools raises concerns about subsequent ransomware attacks or intellectual property breaches.

Companies should also train staff to recognize phishing attempts and verify any unusual requests to install or activate remote management software.

The campaign’s duration—exceeding a year—demonstrates how threats blending into normal IT operations can evade detection for extended periods.

Security vendors and incident responders are encouraged to develop detection methods focused on identifying abnormal RMM usage patterns that may signal compromise.

As VENOMOUS#HELPER evolves, organizations must keep RMM software up to date with patches to close vulnerabilities.

This incident underscores the need for cybersecurity defenses to extend beyond malware detection and include scrutiny of legitimate applications that attackers can exploit.

Further details and indicators of compromise are provided in the Securonix advisory to assist organizations in enhancing their threat detection and response strategies.

https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html

Sources used for this article

The Hacker News

Related alerts

Recommended next steps

Readers following this phishing alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Scam Checker for Suspicious Messages

Paste suspicious text to review social-engineering markers, urgency patterns and the safest next steps before you interact with the message.

Open guide

Identity Theft Recovery Planner

The planner converts identity-theft exposure into a 24-hour, 72-hour and 7-day response checklist with fraud reporting, documentation and account-hardening priorities.

Open guide

Breach Exposure Checker for Email and Password Reuse Risk

The breach checker turns a suspected exposure into a prioritized action plan covering credential rotation, MFA hardening, account review, fraud monitoring and evidence capture.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

Payment fraud alerts

Review invoice scams, wire-fraud attempts, bank impersonation campaigns and payment-diversion coverage.

Open incident hub

Phishing alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive
Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Phishing Campaign Exploits SimpleHelp and ScreenConnect RMM Tools to Target Over 80 Organizations".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage