Full Report
An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters
Analysis Summary
# Incident Report: VENOMOUS#HELPER Phishing Campaign
## Executive Summary
VENOMOUS#HELPER is an ongoing phishing campaign targeting over 80 organizations, primarily in the U.S., to establish persistent remote access. The attackers utilize legitimate Remote Monitoring and Management (RMM) tools, specifically SimpleHelp and ScreenConnect, to bypass traditional security defenses. The activity is suspected to be the work of a financially motivated Initial Access Broker (IAB) or a precursor to ransomware operations.
## Incident Details
- **Discovery Date:** Observed/Reported May 4, 2026 (Securonix Report)
- **Incident Date:** Active since at least April 2025
- **Affected Organizations:** 80+ organizations
- **Sector:** Multiple; targeted via government impersonation
- **Geography:** Primarily United States
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since April 2025
- **Vector:** Phishing Email
- **Details:** Attackers send emails impersonating the U.S. Social Security Administration (SSA). Victims are prompted to click a link to "verify email" or "download an SSA statement." The link directs victims to a compromised Mexican business site (`gruta.com[.]mx`) which redirects to a secondary domain hosting the malicious executable.
### Lateral Movement
- **Details:** Once the RMM is installed, attackers gain fully interactive desktop access. This allows for bidirectional file transfers and pivoting to adjacent systems within the local network using legitimate administrative capabilities.
### Data Exfiltration/Impact
- **Details:** The primary impact is the establishment of a "redundant dual-channel access architecture." While specific data theft wasn't detailed, the access permits silent command execution, keystroke injection, and access to all user-context resources.
### Detection & Response
- **Detection:** Identified by Securonix researchers (and previously tracked by Red Canary and Sophos) through analysis of RMM telemetry and phishing infrastructure.
- **Response:** Notification of affected organizations and publication of behavioral indicators to distinguish legitimate RMM use from unauthorized installations.
## Attack Methodology
- **Initial Access:** Phishing emails using social engineering (SSA impersonation).
- **Persistence:** Implementation of a "self-healing watchdog" service and Safe Mode persistence for the RMM tool.
- **Privilege Escalation:** Use of `elev_win.exe` to gain SYSTEM-level privileges and `AdjustTokenPrivileges` for `SeDebugPrivilege`.
- **Defense Evasion:** Use of signed, legitimate RMM software; hosting payloads on compromised legitimate sites; polling for security products via WMI every 67 seconds to monitor environment.
- **Credential Access:** Not explicitly detailed, but RMM access allows for keystroke logging.
- **Discovery:** Periodic enumeration of registered security products via `root\SecurityCenter2`.
- **Lateral Movement:** Native RMM capabilities used to pivot to adjacent hosts.
- **Collection:** Interactive screen reading and file transfer.
- **Exfiltration:** Bidirectional file transfer through RMM channels.
- **Impact:** Persistent, redundant remote backdoor access.
## Impact Assessment
- **Financial:** High potential; likely acting as an Initial Access Broker for ransomware.
- **Data Breach:** Full access to victim desktop resources and files.
- **Operational:** Redundant access ensures that even if one tool (SimpleHelp) is removed, the second (ScreenConnect) remains.
- **Reputational:** Organizations suffer from the use of their internal resources as staging grounds (e.g., the compromised Mexican business).
## Indicators of Compromise
- **Network:**
- `gruta.com[.]mx` (Compromised redirect)
- `server.cubatiendaalimentos.com[.]mx` (Payload delivery)
- **File:**
- JWrapper-packaged Windows executables
- SimpleHelp Version 5.0.1 (unauthorized installs)
- `elev_win.exe`
- **Behavioral:**
- WMI queries to `root\SecurityCenter2` every 67 seconds.
- Presence of SimpleHelp or ScreenConnect in environments where they are not the standard IT tool.
- Automated "watchdog" processes restarting RMM services.
## Response Actions
- **Containment:** Terminate unauthorized RMM sessions and services.
- **Eradication:** Remove unauthorized RMM binaries and clean registry keys associated with Safe Mode persistence.
- **Recovery:** Revoke and rotate credentials for any user active during the compromise period.
## Lessons Learned
- **Trust is a Vulnerability:** Legitimate, signed software is increasingly used to bypass EDR/AV that focuses on "malicious" signatures.
- **Redundancy:** Attackers are now deploying multiple RMM tools simultaneously to ensure persistence if one is discovered.
- **Living off the Land:** The use of WMI for defense discovery highlights the need for monitoring built-in Windows management tools.
## Recommendations
- **Application Whitelisting:** Strictly control which RMM tools are permitted to execute within the environment.
- **Network Filtering:** Block known RMM provider URLs/IPs unless they are explicitly used by authorized IT staff.
- **Enhanced Monitoring:** Implement alerts for unauthorized use of `SeDebugPrivilege` or atypical WMI queries targeting security product status.
- **User Education:** Train staff to recognize that government agencies (like the SSA) will not prompt for software downloads via email links.