Hackers quietly weaponized SimpleHelp and ScreenConnect against 80+ US firms since April 2025

Since April 2025, attackers have been using a deceptively simple tactic: they phished employees at over 80 U.S. organizations, tricking them into installing legitimate remote-access software, then weaponizing those tools to lock down entire networks from the inside.

The campaign, tracked as VENOMOUS#HELPER by security firm Securonix, represents a year-long operation that exploits a fundamental trust gap in enterprise IT. Remote Monitoring and Management (RMM) software like SimpleHelp and ScreenConnect are designed to let IT teams manage computers from afar—but in the hands of attackers, they become skeleton keys to corporate infrastructure. The fact that the campaign remained largely undetected for over a year suggests that many organizations still cannot distinguish between legitimate remote-access sessions and malicious ones.

What makes VENOMOUS#HELPER particularly dangerous is its reliance on phishing as the initial entry point. Rather than exploiting zero-day vulnerabilities or brute-forcing credentials, attackers sent emails designed to convince employees that they needed to install or update remote-access software. Once a victim clicked and installed, the attacker gained persistent remote access to that machine. From there, lateral movement across the network became possible, allowing the attacker to escalate privileges and reach sensitive systems.

Securonix identified the campaign affecting more than 80 organizations, the majority based in the United States. The security firm noted overlaps with other known attack clusters, suggesting either shared tactics among different threat groups or a single operation with multiple variants. The campaign has remained active, meaning organizations that were compromised in April 2025 may still be hosting attacker infrastructure on their networks today.

Why Do Legitimate Tools Make Perfect Attack Vectors?

SimpleHelp and ScreenConnect are not inherently insecure—both are widely used by legitimate IT service providers and internal support teams. The vulnerability here is not in the software itself but in how easily attackers can abuse the trust users place in them. When an employee receives an email appearing to come from their IT department asking them to install or update remote-access software, most will comply without question. That social engineering layer is nearly impossible for software to defend against.

The persistence of VENOMOUS#HELPER over a full year also reflects a broader detection problem. Many organizations lack the network visibility to spot when legitimate tools are being used for illegitimate purposes. A remote-access session initiated by an attacker looks identical to one initiated by an IT technician—same software, same protocols, same permissions. Without behavioral analysis, threat hunting, or endpoint detection and response (EDR) tools tuned to catch anomalies, the intrusion can go unnoticed for months.

What Happens After the Initial Compromise?

For organizations that may have been targeted, the implications are severe. Attackers with persistent remote access can steal data, plant ransomware, modify files, or establish backdoors that survive system reboots and password changes. They can move laterally to servers, databases, and cloud infrastructure. They can exfiltrate intellectual property, customer records, or financial data. And because they’re using legitimate software, traditional firewalls and intrusion detection systems may not flag the activity as malicious.

Securonix’s disclosure of the campaign is a signal that the threat landscape has shifted. Phishing campaigns that abuse legitimate tools are harder to defend against than campaigns that rely on malware or exploits. They require organizations to invest in user training, email security, network segmentation, and continuous monitoring—defenses that are more expensive and labor-intensive than simply patching a software vulnerability.

How Many Other Campaigns Are Still Hidden?

The timing of the campaign’s discovery—more than a year after it began—also raises questions about how many other similar operations may be ongoing undetected. If VENOMOUS#HELPER affected 80+ organizations and remained largely hidden, how many other phishing campaigns are currently active, using other legitimate tools, against other sectors?

Research published in ACM has documented the growing challenge of identifying security vulnerabilities in proprietary software ecosystems, particularly when attackers leverage legitimate administrative tools. The academic community has increasingly focused on developing methods to detect when trusted software is being misused for malicious purposes.

What Should Organizations Do Right Now?

Organizations should assume that if they use SimpleHelp or ScreenConnect, they may have been targeted. The next step is to review access logs for those tools, looking for sessions that occurred outside normal business hours, from unusual IP addresses, or initiated by users who no longer work there. Endpoint detection tools should be configured to alert on suspicious behavior following remote-access sessions. And employees should be trained to verify any request to install or update software through an out-of-band channel—a phone call to IT, not a reply to an email.

The emergence of persistent network threats that survive security patches demonstrates why organizations need layered defenses beyond traditional perimeter security. AI-enhanced cybersecurity research is exploring new approaches to detect when legitimate tools are being weaponized, but these solutions require significant investment in monitoring infrastructure and security expertise.

Securonix’s identification of VENOMOUS#HELPER is a reminder that the most dangerous attacks often use the tools we already trust. The question now is how many organizations will act on that warning before attackers move on to the next batch of targets.