Cybercriminals Exploit Legitimate Remote Tools in Phishing Campaign Targeting U.S. Organizations
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON — A financially motivated cybercriminal group known as VENOMOUS#HELPER has launched a sophisticated phishing campaign that leverages compromised legitimate remote management software to infiltrate more than 80 organizations, primarily in the United States.
The operation, identified on May 4, 2026, involves the abuse of SimpleHelp and ScreenConnect, two widely used remote monitoring and management (RMM) platforms. By compromising these tools, the attackers established persistent remote access to victim networks, bypassing traditional security perimeters. The campaign appears to be a precursor to ransomware deployment or an initial access broker operation, aimed at selling compromised credentials or system access on underground markets.
Security researchers have observed the group distributing phishing emails that direct recipients to malicious websites. These sites prompt users to download what appear to be legitimate updates for the RMM software. Once installed, the compromised tools grant attackers full control over the targeted systems, allowing them to move laterally within networks and exfiltrate sensitive data.
The campaign has affected a wide range of sectors, including healthcare, finance, and government contractors. While the exact number of compromised organizations remains under investigation, initial assessments indicate that over 80 entities have been targeted. Most of the affected organizations are based in the United States, though some international targets have also been identified.
VENOMOUS#HELPER is believed to be a financially motivated threat actor, likely operating as an initial access broker. These groups typically gain unauthorized access to networks and then sell that access to other cybercriminals, often ransomware gangs. The use of legitimate RMM tools in this campaign represents a significant escalation in tactics, as it allows attackers to blend in with normal administrative traffic and evade detection.
The compromise of SimpleHelp and ScreenConnect highlights the growing risk posed by supply chain attacks and the weaponization of trusted software. Both vendors have issued advisories urging customers to update their systems and monitor for suspicious activity. However, the full extent of the breach and the number of affected users remains unclear.
Cybersecurity experts warn that organizations should immediately audit their remote access tools and implement multi-factor authentication to mitigate the risk of similar attacks. The incident underscores the need for heightened vigilance in monitoring third-party software and the importance of zero-trust security architectures.
As investigations continue, authorities are working to trace the origin of the campaign and identify the individuals behind VENOMOUS#HELPER. The group’s use of legitimate tools complicates attribution efforts, as it mimics the behavior of authorized administrators. Questions remain about whether the compromised software has been patched and if additional organizations are at risk.
The campaign is expected to evolve, with potential for further exploitation or ransomware deployment. Organizations are advised to remain alert and take proactive measures to secure their networks against this emerging threat.