Phishing Campaign Exploits Remote Management Software, Compromising Over 80 Organizations in the US
A prolonged phishing operation has come to light, revealing a sophisticated scheme that leverages signed remote monitoring and management (RMM) software to covertly install persistent backdoors on devices belonging to more than 80 organizations, primarily within the United States. Dubbed Venomous#Helper, this operation has reportedly been active since at least April 2025, employing a combination of self-hosted SimpleHelp 5.0.1 alongside a ConnectWise ScreenConnect relay. This dual approach provides the operators with two distinct access points into every compromised machine, as detailed in recent research by cybersecurity firm Securonix.
The research highlights the operation’s overlap with previously identified malicious activities by both Red Canary and Sophos, the latter labeling it as STAC6405. Although Securonix has yet to link Venomous#Helper to a specific known group, their analysis indicates that the operation aligns with the actions of a financially-driven initial access broker, potentially serving as a precursor to broader ransomware attacks.
Government Impersonation Tactics
The initial phase of the infection vector involved emails masquerading as communications from the US Social Security Administration (SSA), prompting recipients to confirm their address and download what appeared to be a government statement. Securonix’s findings revealed that the link in these phishing emails directed users to a compromised Mexican commercial website, gruta[.]com.mx. This site served a fraudulent page branded with the SSA’s identity before leading unsuspecting users to a malicious payload hosted on a separate compromised cPanel account.
The attackers intentionally used established .com.mx domains to evade detection by secure email gateway reputation filtering systems. The executable file that victims were lured into downloading was cleverly disguised to resemble an official government document. It was actually a JWrapper-packaged binary that had been signed by SimpleHelp Ltd, complete with a valid Thawte certificate. This signature produced a blue verified-publisher prompt during installation, which is far less suspicious than the red unknown-publisher warning typical of malware, marking the only moment in the attack chain requiring direct victim interaction.
Persistent Access and Automated Monitoring
After the installation received unwitting approval from victims, it initiated a Windows service called "Remote Access Service" and made modifications to the SafeBoot\Network registry hive. This guarantees the malware’s resilience, allowing it to persist even through Safe Mode reboots. A built-in liveness watchdog was programmed to monitor the Remote Access Tool (RAT) process, automatically restarting it if it was terminated.
Securonix noted that during even a brief one-hour monitoring session, their analysis recorded a staggering 986 process-creation events originating solely from background polling, occurring with no operator intervention. Three separate loops operated concurrently: a WiFi interface check every 15 seconds, a mouse-position polling mechanism operating every 23 seconds, and a synchronized security-product enumeration sweep every 67 seconds. The mouse-position polling loop was particularly concerning, as it suggested that operators aimed to engage with the victim’s device at times when the user was not actively monitoring it.
Moreover, the researchers flagged an advanced evasion technique employed by the RAT, which involved executing Windows Management Instrumentation Command-line (WMIC) queries through a renamed copy of the binary, stored as wmic.exe.bak. This strategy effectively circumvented endpoint detection and response (EDR) systems that focused on the original filename, rendering the renamed file a significant indicator of compromise that victims should be wary of.
The dual RMM setup facilitates a uniquely challenging scenario for cybersecurity defenders. Securonix researchers emphasize that when the malicious code masquerades as legitimate IT management software, the only traces left behind are behavioral anomalies, making detection considerably more difficult.
In light of these findings, cybersecurity experts urge organizations to implement high-fidelity endpoint telemetry systems, maintain comprehensive inventories of approved tools, and actively seek out any abnormal process lineage linked to signed RMM binaries. The need for vigilance has never been more critical as cybercriminals continue to refine their tactics in exploiting legitimate software for nefarious purposes.