An ongoing phishing campaign has been observed targeting multiple vectors and leveraging legitimate Remote Monitoring and Management (RMM) tools to establish persistent remote access on compromised hosts. Read this Cybersecurity Threat Advisory to mitigate risk for you and your clients.
What is the threat?
The threat is a large‑scale phishing campaign that installs legitimate, vendor‑signed remote management tools to gain stealthy, persistent access to victim environments. The campaign targets multiple initial access vectors and has compromised more than 80 organizations across diverse sectors, primarily in the United States. Attackers deploy customized SimpleHelp 5.0.1 and SecureConnect Remote Monitoring and Management (RMM) software, often masquerading as user‑initiated installations, allowing them to bypass traditional security controls.
Why is it noteworthy?
This campaign is noteworthy for its resilience and operational sophistication. Attackers deploy two independent RMM tools simultaneously, creating redundant access that persists even if defenders remediate one channel. Initial compromise relies on SSA‑themed government impersonation phishing, prompting victims to download a fake benefits statement. Once opened, the malware installs as a Windows service, establishes Safe Mode persistence, conducts automated security posture checks every 67 seconds, and polls for operator presence every 23 seconds. While no formal attribution exists, the tradecraft aligns with a financially motivated initial access broker or ransomware precursor targeting Western organizations.
What is the exposure or risk?
This campaign poses a high‑risk exposure since attackers can gain stealthy, long‑term control of victim systems using legitimate, vendor‑signed RMM tools rather than traditional malware. Once attackers establish a foothold, they harvest credentials, move laterally, deploy additional payloads including ransomware, exfiltrate sensitive data, or sell access to other threat actors. Because the campaign has already impacted more than 80 organizations across multiple sectors, primarily in the United States, it highlights a systemic risk: any environment that allows or trusts RMM software is vulnerable to covert remote access, particularly when users can be socially engineered into installing it themselves.
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and secure environments:
- Restrict and inventory all RMM tools, allowing only approved solutions from trusted vendors with documented business justification.
- Implement application allow-listing and code-signing verification to block unauthorized or self-hosted SimpleHelp and ScreenConnect instances.
- Enforce least-privilege and require admin approval (or Just-In-Time access) for installation and use of any remote access software.
- Harden email security (phishing filters, URL rewriting, attachment sandboxing) and block or flag SSA-themed or government-impersonation lures.
- Monitor for new or unusual Windows services, especially those enabling Safe Mode persistence or invoking SimpleHelp/ScreenConnect binaries.
- Collect and analyze endpoint telemetry for frequent network beacons, dual RMM connections, and anomalous remote sessions.
- Conduct user awareness training focused on remote support scams and fraudulent “SSA statement” or “benefits verification” emails.
- Establish incident response playbooks for RMM abuse, including rapid containment, credential reset, and forensic review of remote sessions.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html
- https://www.securonix.com/blog/venomous-helper-phishing-campaign/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
