Phishing Campaign Exploits SimpleHelp and ScreenConnect RMM Tools in 80+ Orgs

Since April 2025, a sophisticated phishing operation has targeted more than 80 organizations by abusing legitimate Remote Monitoring and Management (RMM) platforms, SimpleHelp and ScreenConnect, to establish persistent remote access. The campaign lures victims with emails that impersonate official software‑update notifications from the RMM vendors, including links that redirect to compromised landing pages hosting a malicious installer for the RMM client.

The installer registers a benign‑looking service and establishes TLS‑encrypted command‑and‑control (C2) channels that mimic normal RMM traffic. Attackers also leverage valid authentication tokens from the RMM portals, allowing them to persist across reboots and, in some cases, bypass multi‑factor authentication. The malware, internally tracked as “RMMDoor”, includes modules for credential harvesting, lateral movement, and data exfiltration.

Victims have been identified across multiple sectors, including managed service providers (MSPs), healthcare, and finance. Telemetry data shows lateral movement to domain controllers and attempts to exfiltrate user password hashes and VPN configurations. The scale of the campaign underscores the risk of using unpatched or misconfigured RMM tools as an entry point.

Security teams are advised to monitor for unusual outbound connections to IP ranges associated with SimpleHelp and ScreenConnect, enforce strict allowlisting of RMM executables, and disable auto‑update features that can be abused for supply‑chain injection. Indicators of compromise (IOCs) such as specific SHA‑256 hashes and C2 domains have been disseminated through threat‑intel platforms to enable early detection and remediation.