An ongoing phishing campaign has been detected targeting various vectors since April 2025, utilizing legitimate Remote Monitoring and Management (RMM) software to establish persistent remote access to compromised systems.
The campaign, known as VENOMOUS#HELPER, has impacted more than 80 organizations, primarily in the U.S., as per Securonix. It shows similarities with previously identified clusters by Red Canary and Sophos, the latter referring to it as STAC6405. While the perpetrators remain unidentified, the cybersecurity firm suggests a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation.
“In this instance, customized SimpleHelp and ScreenConnect RMMs are utilized to bypass security measures, installed without the victim’s knowledge,” explained researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee in a report shared with The Hacker News.
Despite the use of legitimate RMM tools to evade detection, the deployment of both SimpleHelp and ScreenConnect indicates an effort to create a “redundant dual-channel access architecture” for continued operations even if one channel is blocked.
The attack begins with a phishing email posing as the U.S. Social Security Administration (SSA), prompting recipients to verify their email and download an alleged SSA statement by clicking a link in the email. The link directs to a compromised Mexican business website (“gruta.com[.]mx”), evading email filters.
The “SSA statement” is downloaded from another attacker-controlled domain (“server.cubatiendaalimentos.com[.]mx”), delivering the SimpleHelp RMM tool. The attacker likely gained access to a cPanel user account on a legitimate hosting server to stage the binary.
Upon opening the JWrapper-packaged Windows executable, the malware installs itself as a Windows service with Safe Mode persistence, ensuring continuous operation. It also periodically checks security products and user presence, maintaining access.
To enable desktop access, the SimpleHelp client acquires necessary privileges, while “elev_win.exe” grants SYSTEM-level access, allowing screen viewing, keystroke injection, and resource access.
This elevated access is exploited to install ConnectWise ScreenConnect, serving as a backup communication method if the SimpleHelp channel is disrupted.
“The deployed SimpleHelp version (5.0.1) provides extensive remote administration capabilities, leaving the victim organization vulnerable to silent commands, file transfers, and lateral movement, undetected by traditional security measures,” noted the researchers.
