An active phishing campaign has been detected, targeting numerous entities since at least April 2025, utilizing legitimate Remote Monitoring and Management (RMM) software to secure ongoing remote access to compromised systems. This malicious activity, dubbed VENOMOUS#HELPER, has reportedly affected over 80 organizations, with a significant concentration in the United States, according to insights from the cybersecurity firm Securonix.
This phishing scheme has notable similarities with previously identified clusters by cybersecurity firms Red Canary and Sophos, the latter referring to it as STAC6405. Although the exact perpetrator of this campaign remains unidentified, the modus operandi suggests alignment with a financially motivated Initial Access Broker (IAB) or a precursor to a ransomware operation, indicating a potentially severe threat landscape.
The research team comprising Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee provided a detailed breakdown of the attack mechanism. In their report, they noted how tailored versions of SimpleHelp and ScreenConnect RMMs are being exploited to bypass security measures. These tools were installed unwittingly by the victim organizations, which adds a layer of deceit to the campaign. The deployment of both RMMs illustrates a calculated strategy to establish a “redundant dual-channel access architecture,” ensuring that even if one method is detected and neutralized, the other remains available for continued malicious activity.
The phishing attack typically initiates with an email impersonating the U.S. Social Security Administration (SSA). Recipients are misled into verifying their email address and prompted to download a file purportedly containing an SSA statement. The link within the email leads to a legitimate but compromised Mexican business website, demonstrating a sophisticated effort to evade email spam detection systems.
Once the victim downloads the fake “SSA statement” from a secondary attacker-controlled domain, the executable file activates, deploying the SimpleHelp RMM tool. The attackers appear to have compromised a single cPanel user account on the legitimate hosting server, allowing them to manipulate the server’s resources to stage their malicious payload.
Upon execution of the disguised file—a JWrapper-packaged Windows executable—the malware clandestinely installs itself as a Windows service with Safe Mode persistence. It incorporates a “self-healing watchdog” feature, ensuring the malware presence is maintained by automatically restarting if terminated. Additionally, it queries registered security products every 67 seconds while polling user activity every 23 seconds, thereby maintaining an active pulse on the system’s security landscape.
To enable full interactivity with the victim’s desktop, the SimpleHelp remote access client gains SeDebugPrivilege through the use of AdjustTokenPrivileges. Notably, the operation also employs "elev_win.exe," a legitimate executable related to SimpleHelp, to acquire SYSTEM-level privileges. This elevation empowers the attacker to infiltrate the end-user’s system effectively, allowing actions such as screen monitoring, keystroke injections, and access to user-context resources.
The attacker’s capabilities extend further with the installation of ConnectWise ScreenConnect, forming a backup communication channel should the primary SimpleHelp avenue get blocked. This dual-access strategy highlights the sophistication of the attackers’ operational security.
Researchers concluded that the SimpleHelp version deployed (5.0.1) offers a robust suite of remote administration tools. Consequently, the victimized organizations are left vulnerable, in a state where assailants can return at their convenience, execute commands discreetly, transfer files bi-directionally, and pivot to other systems within the network. The insidious nature of the attack is compounded by the fact that standard antivirus solutions and signature-based defenses only identify the software used as legitimate and signed products from a reputable vendor in the United Kingdom.
This evolving threat emphasizes the critical need for organizations to bolster their cybersecurity defenses, employing advanced detection mechanisms and user awareness training to withstand sophisticated phishing campaigns that leverage legitimate tools for malicious intents. The findings underscore an urgent call for vigilance in recognizing and responding to potential phishing threats, thereby safeguarding sensitive data and operational integrity in an increasingly complex cyber landscape.