An Overview of the VENOMOUS#HELPER Phishing Campaign

A sophisticated phishing campaign, known as VENOMOUS#HELPER, has been actively targeting various organizations since April 2025. This campaign utilizes legitimate Remote Monitoring and Management (RMM) software to establish persistent remote access to compromised systems.

According to cybersecurity experts at Securonix, over 80 organizations, primarily in the U.S., have fallen victim to this campaign. The tactics employed in VENOMOUS#HELPER bear similarities to previously identified threat clusters by Red Canary and Sophos, the latter referring to it as STAC6405. While the perpetrators remain unidentified, the attack is believed to be financially motivated, possibly linked to an Initial Access Broker (IAB) or a precursor to a ransomware operation.

The attackers exploit the trust associated with legitimate RMM tools like SimpleHelp and ScreenConnect to circumvent security defenses. By utilizing these tools, the threat actors create a redundant dual-channel access system, ensuring continuous operations even if one channel is compromised.

The phishing scheme begins with an email impersonating the U.S. Social Security Administration (SSA), prompting recipients to verify their email addresses and download a supposed SSA statement from a link embedded in the message. The link directs users to a compromised Mexican business website, gruta.com.mx, evading email filters.

The “SSA statement” download from server.cubatiendaalimentos.com.mx delivers the SimpleHelp RMM tool, indicating that the attacker compromised a cPanel user account on a legitimate hosting server to stage the attack.

Upon opening the JWrapper-packaged Windows executable, the malware establishes itself as a Windows service with Safe Mode persistence. It includes a “self-healing watchdog” to ensure continuous operation, checks for security products every 67 seconds, and monitors user activity every 23 seconds.

The SimpleHelp client gains SeDebugPrivilege for desktop access and leverages elev_win.exe for SYSTEM-level privileges. This enables the attacker to view the screen, insert keystrokes, and access user resources.

Subsequently, the attacker deploys ConnectWise ScreenConnect for additional communication capabilities, ensuring uninterrupted access to the compromised system.

The researchers highlight that the deployed SimpleHelp version offers extensive remote administration features, allowing the attacker to execute commands discreetly, transfer files, and move laterally within the network undetected.