A stealthy phishing campaign targeting organisations across multiple industries has grown by weaponising legitimate IT management tools to bypass security controls, according to researchers. Security researchers at Securonix say the campaign, tracked as VENOMOUS#HELPER, has been active since at least April 2025 and has hit more than 80 organisations, primarily in the US but also in Western Europe and Latin America.
Notably, the operation employs two legitimately signed RMM tools, SimpleHelp and ScreenConnect, to enable persistent control over victim machines, with the threat actor using SimpleHelp as the primary channel for running scripts and ScreenConnect for interactive desktop control according to Securonix. The attacker is described as maintaining access even if one tool is detected and removed, and the study labels attribution as a claim rather than a formal designation.
Researchers emphasise how this approach highlights the value of endpoint logging, SIEM or EDR, and application whitelisting in detecting such backdoor activity.