#simplehelp

A sophisticated phishing campaign codenamed VENOMOUS#HELPER has been observed targeting over 80 organizations since at least April 2025, weaponizing legitimate Remote Monitoring and Management (RMM) tools—SimpleHelp and ScreenConnect—to establish persistent remote access while evading traditional security defenses.

Campaign Overview: VENOMOUS#HELPER

The activity, first identified by Securonix researchers, has impacted over 80 organizations, with the majority located in the United States. The campaign shares overlaps with clusters previously tracked by Red Canary and Sophos—the latter assigning it the moniker STAC6405.

While attribution remains unclear, Securonix assesses the campaign aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation. The goal: gain persistent access to victim networks, then sell that access to ransomware gangs or conduct extortion operations directly.

"In this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee explained in their report.

The Weaponization of Legitimate RMM Tools

The campaign's defining characteristic is its use of legitimate, signed RMM software rather than custom malware. This approach provides several advantages to attackers:

1. Evasion of Signature-Based Detection

SimpleHelp and ScreenConnect are legitimate products from reputable vendors (SimpleHelp from a U.K. developer, ScreenConnect from ConnectWise). The binaries are digitally signed, widely deployed in enterprise environments, and whitelisted by many security products.

When these tools are deployed, standard antivirus and signature-based controls see nothing but legitimately signed software—making detection extremely difficult without behavioral analysis.

2. Redundant Dual-Channel Access Architecture

The deployment of both SimpleHelp and ScreenConnect indicates an attempt to create redundant access channels. If one RMM tool is detected and removed, the other remains available—ensuring continued operations even when either is blocked.

This redundancy demonstrates operational sophistication and a long-term persistence strategy.

3. Full Interactive Desktop Access

Unlike backdoors that provide limited command-and-control capabilities, RMM tools offer fully interactive desktop access—allowing operators to:

- View the victim's screen in real-time - Inject keystrokes and mouse movements - Transfer files bidirectionally - Execute commands silently in the user's desktop session - Pivot to adjacent systems on the network

This level of access is indistinguishable from legitimate remote administration, making it exceptionally difficult to detect without specialized monitoring.

The Attack Chain: From Phishing to Persistence

Stage 1: SSA-Themed Phishing Email

The attack begins with a phishing email impersonating the U.S. Social Security Administration (SSA). The recipient is instructed to:

- Verify their email address - Download a purported "SSA statement" by clicking an embedded link

The email leverages the authority and urgency associated with government communications, increasing the likelihood of compliance.

Stage 2: Compromised Legitimate Website

The link in the phishing email points to a legitimate-but-compromised Mexican business website (gruta.commx). This indicates a deliberate strategy to evade email spam filters:

- Domain Reputation: The domain has established history and isn't flagged as malicious - Reduced Suspicion: Users are less likely to question a link to an unfamiliar but seemingly legitimate business website - Filter Evasion: Email security gateways are less likely to block links to domains without known malicious associations Stage 3: Second-Stage Payload Delivery

Clicking the link downloads a purported "SSA statement" from a second attacker-controlled domain (server.cubatiendaalimentos.commx). However, this file is not a document—it's a JWrapper-packaged Windows executable responsible for delivering the SimpleHelp RMM tool.

Researchers believe the attacker gained access to a single cPanel user account on the legitimate hosting server to stage the binary, further obscuring the attack infrastructure.

Stage 4: Installation and Persistence

When the victim opens the executable (thinking it's a document), the malware:

- Installs as a Windows Service: Configures itself with Safe Mode persistence, ensuring it loads even if the system boots in Safe Mode - Self-Healing Watchdog: Implements a watchdog mechanism that automatically restarts the RMM tool if it's killed, maintaining persistent access - Security Product Enumeration: Periodically queries the rootSecurityCenter2 WMI namespace every 67 seconds to identify registered security products - User Presence Detection: Polls for user activity every 23 seconds to determine optimal times for operator interaction Stage 5: Privilege Escalation

To facilitate fully interactive desktop access, the SimpleHelp remote access client:

- Acquires SeDebugPrivilege: Uses the AdjustTokenPrivileges Windows API to gain debugging privileges, allowing it to interact with other processes - Deploys elev_win.exe: A legitimate executable file associated with SimpleHelp software is used to gain SYSTEM-level privileges—the highest privilege level on Windows

With SYSTEM access, the attacker can read the screen, inject keystrokes, and access all user-context resources without restriction.

Stage 6: Redundant Access via ScreenConnect

Once elevated remote access is established via SimpleHelp, the attacker uses that access to download and install ConnectWise ScreenConnect—providing a fallback communication mechanism if the SimpleHelp channel is detected and taken down.

Capabilities Gained by Attackers

According to Securonix, the deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set, including:

- Remote Desktop Control: Full visual access to the victim's desktop - File Transfer: Bidirectional file upload and download - Command Execution: Silent command execution in the user's desktop session - System Information: Access to system configuration, installed software, and network topology - Lateral Movement: Ability to pivot to adjacent systems on the network - Persistence: Survives reboots, user logoffs, and attempted remediation

The victim organization is left in a state where the attacker can return at any time, execute operations silently, and maintain access even if one RMM tool is discovered.

Why This Campaign Succeeds

1. Abuse of Trust

The campaign exploits trust in multiple dimensions:

- Government Authority: SSA impersonation creates urgency and compliance - Legitimate Websites: Compromised business domains appear trustworthy - Signed Software: Legitimate RMM tools bypass security controls 2. Defense Evasion

Traditional security controls struggle to detect this campaign because:

- No Malicious Signatures: RMM binaries are legitimately signed - No Suspicious Domains: Initial links point to compromised legitimate sites - Behavioral Blindness: RMM tool behavior looks like legitimate remote administration - Living-off-the-Land: Attackers use tools that belong in enterprise environments 3. Operational Security

The attackers demonstrate strong operational security:

- Redundancy: Dual RMM channels ensure persistence - Self-Healing: Watchdog mechanisms maintain access - Security Awareness: Active enumeration of security products suggests operators adapt based on defensive posture

Detection and Mitigation

Indicators of Compromise (IOCs) Network Indicators: - Outbound connections to SimpleHelp or ScreenConnect servers not authorized by your organization - Connections to gruta.commx or server.cubatiendaalimentos.commx - Unusual RMM traffic patterns (e.g., connections at odd hours, to/from unexpected geographies) Host Indicators: - SimpleHelp or ScreenConnect services installed without IT authorization - Presence of elev_win.exe in unexpected locations - JWrapper-packaged executables with SSA-themed names - Windows services with Safe Mode persistence flags - WMI queries to rootSecurityCenter2 namespace at regular intervals Behavioral Indicators: - Remote desktop sessions initiated outside business hours - File transfers to/from RMM processes - Keystroke injection patterns inconsistent with user behavior - Multiple RMM tools installed on the same endpoint Preventive Measures - RMM Tool Inventory: Maintain a complete inventory of all authorized RMM tools and their installation locations. Anything not on the list should be treated as suspicious. - Application Allowlisting: Implement application allowlisting policies that only permit authorized RMM tools to execute. Block all others, even if signed. - Network Segmentation: Restrict RMM tool communications to specific, monitored network segments. Block outbound RMM traffic at the perimeter unless explicitly required. - Email Security: Deploy advanced email security solutions that can detect SSA impersonation, analyze links to compromised legitimate sites, and block executable attachments disguised as documents. - Endpoint Detection and Response (EDR): Deploy EDR solutions with behavioral analysis capabilities that can detect RMM tool abuse, even when the tools themselves are legitimate. - User Awareness Training: Educate users about: - SSA impersonation tactics - The danger of opening unexpected attachments, even from seemingly legitimate sources - How to verify government communications through official channels - Privilege Management: Implement least-privilege access controls to limit the impact of RMM tool compromise. Restrict SYSTEM-level access to only essential processes. - Continuous Monitoring: Monitor for: - New service installations - Changes to Safe Mode configuration - WMI queries to security-related namespaces - Unusual process execution chains involving RMM tools Incident Response

If VENOMOUS#HELPER activity is suspected:

- Isolate Affected Systems: Immediately disconnect compromised endpoints from the network to prevent lateral movement - Preserve Evidence: Capture memory dumps, disk images, and network logs before remediation - Hunt for Redundancy: Search for both SimpleHelp AND ScreenConnect installations—attackers may have deployed multiple tools - Check for Persistence: Review Windows services, scheduled tasks, and registry run keys for self-healing mechanisms - Assess Scope: Determine how many systems are affected and whether lateral movement has occurred - Reset Credentials: Assume all credentials on compromised systems are exposed; reset passwords and revoke session tokens - Engage Law Enforcement: Report the incident to FBI IC3, CISA, or relevant national cybersecurity authorities

The Broader Trend: RMM Tool Abuse

VENOMOUS#HELPER is part of a larger trend of RMM tool abuse observed throughout 2025-2026:

- 2025: Multiple ransomware groups adopted legitimate RMM tools for initial access and persistence - 2026 Q1: Securonix observed a 340% increase in RMM tool abuse compared to Q4 2025 - Industry Response: RMM vendors are implementing stricter authentication requirements and anomaly detection, but adoption is uneven

The challenge for defenders is balancing legitimate remote administration needs with security controls that can detect and prevent abuse. Complete bans on RMM tools are impractical for most organizations, but unfettered deployment creates significant risk.

Key Takeaways

- Campaign Name: VENOMOUS#HELPER (Securonix) / STAC6405 (Sophos) - Impact: 80+ organizations targeted since April 2025, majority in U.S. - Attribution: Financially motivated Initial Access Broker or ransomware precursor - Tools Weaponized: SimpleHelp 5.0.1 and ConnectWise ScreenConnect - Attack Vector: SSA-themed phishing emails → compromised legitimate websites → JWrapper executable - Persistence: Windows service with Safe Mode persistence, self-healing watchdog - Privilege Escalation: SeDebugPrivilege via AdjustTokenPrivileges, SYSTEM access via elev_win.exe - Redundancy: Dual-channel RMM architecture ensures continued access if one tool is detected - Capabilities: Full interactive desktop access, file transfer, command execution, lateral movement - Detection Challenge: Legitimate signed software evades signature-based controls

The Bottom Line

VENOMOUS#HELPER represents the evolution of initial access operations: weaponizing legitimate tools, abusing trusted infrastructure, and creating redundant persistence mechanisms that survive traditional remediation efforts.

The campaign demonstrates that signed software is not synonymous with safe software—and that defenders must shift from signature-based detection to behavioral analysis, continuous monitoring, and zero-trust architectures that assume compromise and verify every action.

For organizations that haven't yet inventoried their RMM tool deployments, implemented application allowlisting, or deployed behavioral EDR solutions, this campaign should serve as a wake-up call. The attackers aren't trying to hide anymore—they're hiding in plain sight, using the very tools you've authorized for legitimate administration.

I feel like I cover a lot of evolutions in malicious activity and cybercrime, AI prompt injection, innovative configurations of known malware families, new vectors of compromise. But that doesn’t preclude the continued existence of the classics: phishing emails. Cofense’s Phishing Defense Center has published a blog report on a campaign using brand impersonation via scam emails to spread. The brands highlighted in their report? DocuSign and Adobe Acrobat. The culprit? An abused JWrapper package in the SimpleHelp Remote Monitoring and Management tool.

JWrapper is a Java-based installer framework for bundling application files into a single cross-platform executable, meaning apps using it can ‘talk’ to each other regardless of operating system. SimpleHelp is a monitoring program designed to assist with remote access management. JWrapper plays a minor role in this campaign, that of delivery. But it’s SimpleHelp that’s being exploited for execution of the payload, which in this case is a remote access Trojan.

Impersonation of genuine sites is a long utilized form of social engineering. Because the link looks like it comes from a trusted source, users will click on it. But Cofense points out, as I often do, that hovering over the link tells the real tale. The link embedded in the phishing email is a malicious redirect disguised in a request to view completed documents for signing, or a popup stating that the user needs to download the newest version of Acrobat Viewer (the two samples used in the blog report). The payload is visible in the properties of the download under file description. A remote access executable.

RAT’s are the most common payload of this type of phishing. Once command-and-control access is gained, threat actors will use that to steal credentials, deliver further malware, or bypass authentication tokens in order to compromise accounts. Phishing emails used to be less carefully crafted, having flaws that were sometimes pretty obvious. Things like typos, slight changes to names that upon first glance seem right, or details that were vague and impersonal for something allegedly coming from within a network. The samples shown in Cofense’s report did not have any of those; the only suspicious sign was the redirect visible while hovering over the embedded link. But that’s how these campaigns work. The operators are relying on users trusting the impersonation and not looking any deeper.

Once downloaded, this RAT obfuscates itself within other legitimate processes like winpty agents, necessary executable files used for terminal interfacing with programs like SimpleHelp, among others. Cofense also discovered several command lines prompts, including one where the payload created a new inbound firewall to prevent itself from being blocked, and another that gave full permission for access to all the folders on the victim’s file system. These tactics are what make RAT’s so hard to expunge from a device; they hide inside legitimate software. One cannot just delete them.

It goes without saying at this point, but prevention is still the key. And therefore, so is education. This campaign exemplifies why I always say never click an untrusted link. Don’t download from a prompt; visit the product’s site for potential updates. And come see your friendly neighborhood WISP if you need help.