APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
Campaign
Summary
Hide ▲
Show ▼
A wave of phishing-led RMM abuse is giving APT groups initial access to systems and enabling persistence plus lateral movement inside compromised networks. The activity spans AnyDesk, ConnectWise ScreenConnect, and Atera, showing a broader operator pattern rather than a single-tool abuse case. Attackers are leveraging legitimate remote-management functions to turn trusted software into an intrusion path.
Related Happenings
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
VENOMOUS#HELPER phishing campaign using RMM tools
Campaign
First: 04.05.2026 21:06
Last: 04.05.2026 21:06
Sources 1
About this happening:
An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
VENOMOUS#HELPER phishing campaign using RMM tools
CampaignAbout this happening: An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
Latest development: 05.05.2026 17:00
Securonix found the Venomous#Helper phishing campaign using emails impersonating the US Social Security Administration to send victims to gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to payload delivery from a separate compromised cPanel account. The campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay, and the downloaded JWrapper-packaged binary was signed by SimpleHelp Ltd with a valid Thawte certificate. In a one-hour observation, Securonix recorded 986 background process-creation events and WMIC execution through a renamed wmic.exe.bak copy to evade EDR rules.
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendAbout this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
Timeline
-
13.10.2025 18:45 2 articles · 7mo ago
DarkAtlas reports phishing-led abuse of RMM tools
Initial DisclosureDarkAtlas researchers report that advanced persistent threat groups are abusing AnyDesk, ConnectWise ScreenConnect, and Atera in phishing-led intrusions to gain unauthorized control of systems. The analysis says ScreenConnect is being repurposed through legitimate features such as unattended access, VPN functionality, REST API integration, and file transfer to establish persistence, move laterally within compromised networks, and conceal activity with an in-memory installer, custom URLs or invite links, persistent ScreenConnect.WindowsClient.exe service installation, and event log artifacts such as Security Event ID 4573 and Application Log events 100 and 101.
Show sources
- Hackers Target ScreenConnect Features For Network Intrusions — www.infosecurity-magazine.com — 13.10.2025 18:45
- Hackers Target ScreenConnect Features For Network Intrusions — www.infosecurity-magazine.com — 13.10.2025 18:45