More than 80 organizations, predominantly in the US, have been compromised by a long-running campaign that uses legitimately signed remote monitoring and management software to install silent, persistent backdoors, according to new research from Securonix.
Phishing lure: fake Social Security emails and compromised domains
Securonix found the operation begins with an email impersonating the US Social Security Administration instructing recipients to verify their address and download a statement. The message's link led to a compromised Mexican business site, gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting victims to a payload hosted on a separate compromised cPanel account.
Researchers said the use of an established .com.mx domain was a deliberate attempt to bypass secure email gateway reputation filters. The download that followed was an executable named to resemble a numbered government document; it was a JWrapper-packaged binary signed by SimpleHelp Ltd using a valid Thawte certificate. That valid signature produced a blue verified-publisher prompt instead of the red unknown-publisher warning that commonly alerts users to unsigned malware—Securonix identified that signature prompt as the only point in the chain that required victim interaction.
Dual access channels: SimpleHelp 5.0.1 and ConnectWise ScreenConnect
Securonix has dubbed the campaign Venomous#Helper and observed operators pairing a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay to create two independent access channels on each infected host. The dual-RMM design was intentional: as Securonix researchers put it, "when the malware is the IT management software, the only thing that catches it is the behavior it leaves behind."
The activity overlaps with a cluster previously tracked by Red Canary and Sophos; Sophos assigned the cluster the name STAC6405. Securonix has not attributed Venomous#Helper to a known group but judged the pattern of activity consistent with either a financially motivated initial access broker or a precursor to ransomware deployment.
Silent, persistent backdoors and process resilience
Once executed, the installer registered a Windows service named "Remote Access Service" and wrote to the SafeBoot\Network registry hive to ensure the malware survived Safe Mode reboots. A liveness watchdog monitored the remote-access process and automatically restarted it if it was terminated.
Securonix reported the SimpleHelp build in use was a cracked 2017 package whose certificate expired in 2018, indicating the operators did not pay for licensing and left no vendor purchase trail. The researchers also flagged a notable evasion technique: the RAT executed WMIC queries via a renamed copy of the binary stored as wmic.exe.bak, defeating endpoint detection and response rules that rely on the original filename. Securonix called that renamed file a high-confidence indicator of compromise.
Automated surveillance: polling cadence and background activity
In a one-hour observation window, Securonix recorded 986 process-creation events arising solely from background polling activity with no operator interaction. Three concurrent loops generated much of that noise: a WiFi interface check every 15 seconds, mouse-position polling every 23 seconds, and a synchronized security-product enumeration sweep every 67 seconds.
Securonix noted the mouse-position loop suggested operators waited for a victim to step away from the keyboard before initiating hands-on interaction—an operational detail that produces a distinct behavioral fingerprint defenders can hunt for.
What this means for security teams, procurement leaders, and end users
- Security teams: Securonix urged deployment of high-fidelity endpoint telemetry and hunting for anomalous process lineage originating from signed RMM binaries. The behavioral artifacts—service registration as "Remote Access Service," writes to SafeBoot\Network, WMIC execution from wmic.exe.bak, and the precise polling intervals—are specific detections defenders can add to hunts and detections.
- Procurement and IT asset managers: The campaign highlights risks from unmanaged or cracked RMM software. Securonix observed a cracked SimpleHelp build with an expired certificate was used to avoid licensing costs and vendor traceability, underscoring the value of maintaining an approved-tool inventory and procurement records.
- End users and administrators: The only user interaction required in the observed chain was accepting a blue verified-publisher prompt produced by a valid code-signing certificate. That event can be difficult to distinguish from legitimate installs, making endpoint telemetry and inventory controls essential complements to user awareness.
Venomous#Helper demonstrates a blunt but effective calculus: use legitimate, signed management tools and compromised web infrastructure to slip past reputation controls and leave behind behavior that, if observed, reveals the compromise. Securonix's advisory closes by urging defenders to instrument endpoints with high-fidelity telemetry, keep approved-tool inventories, and hunt for the anomalous process lineage the campaign produces—steps that, according to the researchers' findings, are the most reliable way to detect what the malicious operators intentionally disguised as IT management traffic.
https://www.infosecurity-magazine.com/news/ssa-emails-venomous-helper-phishing/




