"In this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim," researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee wrote in a report shared with The Hacker News.
Scope and naming: VENOMOUS#HELPER, STAC6405, and who is affected
Securonix says the campaign, tracked as VENOMOUS#HELPER, has impacted more than 80 organizations, most of them in the United States. The activity has overlaps with clusters previously tracked by Red Canary and Sophos; Sophos has assigned the cluster the name STAC6405. While the operator(s) have not been publicly identified, Securonix characterizes the behavior as aligning with either a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation.
The phishing vector: an SSA-themed lure and compromised Mexican hosting
The intrusion chain begins with a phishing email impersonating the U.S. Social Security Administration (SSA). Recipients are instructed to verify an email address and download an "SSA statement" via a link embedded in the message. That link points to a legitimate-but-compromised Mexican business website, gruta.com[.]mx, a deliberate step the researchers say helps the messages evade email spam filters.
The purported "SSA statement" is then downloaded from a second attacker-controlled domain, server.cubatiendaalimentos.com[.]mx. Securonix reports the binary was staged on that hosting server after the attacker gained access to a single cPanel user account.
How legitimate RMMs are repurposed into persistent backdoors
The downloaded file is a JWrapper-packaged Windows executable that, when opened, installs a customized SimpleHelp RMM as a Windows service. The malware uses Safe Mode persistence and a "self-healing watchdog" that restarts the service if it is terminated. Once installed, the SimpleHelp client is used to obtain interactive desktop access and to maintain long-term, silent control.
To strengthen resilience, the operator also installs ConnectWise ScreenConnect as a secondary communication channel. Securonix highlights that the presence of both SimpleHelp and ScreenConnect creates a "redundant dual-channel access architecture," allowing the attacker to continue operations even if one remote channel is detected and removed.
Privilege escalation, monitoring, and stealthy persistence techniques
The deployed SimpleHelp version identified by the researchers is 5.0.1. The remote access client acquires SeDebugPrivilege via AdjustTokenPrivileges, and the legitimate executable elev_win.exe — associated with the software — is used to gain SYSTEM-level privileges. With those privileges, an operator can read the screen, inject keystrokes, access resources in the user's context, and pivot to adjacent systems.
On the detection-avoidance side, the installed binary periodically enumerates registered security products by querying the WMI namespace root\SecurityCenter2 every 67 seconds, and it polls for user presence every 23 seconds. Securonix emphasizes that standard antivirus and signature-based controls see only legitimately signed software from a reputable U.K. vendor, which helps the operation blend in.
What this means for technologists and security teams; affected enterprises; and end users
- Technologists and security teams: Expect persistence from legitimately signed RMM clients — SimpleHelp 5.0.1 in this campaign — and look for behavioral indicators such as WMI queries to root\SecurityCenter2, frequent user-presence polling, and the presence of self-healing services. Be aware the actors install a secondary RMM (ConnectWise ScreenConnect) to preserve access.
- Affected enterprises and procurement leaders: Supply-chain and hosting hygiene matter; the attackers staged binaries after compromising a single cPanel account on a legitimate hosting server (gruta.com[.]mx and server.cubatiendaalimentos.com[.]mx were involved). Procurement and IT teams should monitor for unauthorized RMM installations and review hosting-account access controls.
- End users: The initial lure is an SSA-themed email telling recipients to download an "SSA statement." Users should be cautious about unexpected links and downloads that appear to come from government agencies and report suspicious messages to their IT or security teams immediately.
Securonix's reporting paints a deliberate, layered intrusion: a socially engineered phishing lure, staging on compromised legitimate infrastructure, installation of a JWrapper-packaged executable that presents as a document, and the deployment of two legitimate RMM products to guarantee re-entry. The campaign's redundancy — SimpleHelp and ScreenConnect — and the use of signed software mean victims can be left in a state where "the attacker can return at any time," according to the researchers.
Full reporting on this campaign, including technical indicators and the original advisory, is available at The Hacker News: https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html
