A phishing campaign has compromised over 80 organizations, using legitimate remote access tools like SimpleHelp and ScreenConnect. Attackers trick victims into installing these programs, gaining full control of the systems. Once inside, they steal credentials, deploy malware, and establish persistence on the affected networks.
How attackers operate with legitimate RMM tools 🛡️
Attackers send emails or messages that mimic technical support, prompting the victim to download SimpleHelp or ScreenConnect. When executed, the legitimate software enables remote control without raising suspicion from antivirus programs. Then, the aggressors deploy malicious payloads such as credential stealers, ransomware, or backdoors, and modify system configurations to ensure their continued access.
The tech support nobody asked for or needs 🚨
It turns out the best way to sneak into a company is not with complex exploits, but by politely asking you to install a remote control program. Attackers act like that technician who shows up unannounced, tells you your PC has a virus, and then steals your passwords. The worst part is that the software is legal; the crime is that it was sold to you as official support.