Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
News

Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

Team-CWDBy Team-CWDMay 12, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


An active phishing campaign has been observed targeting multiple vectors since at least April 2025 with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.

The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters previously tracked by Red Canary and Sophos, the latter of which has given it the moniker STAC6405. While it’s not clear who is behind the campaign, the cybersecurity company said it aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation.

“In this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

Setting aside the fact that the use of legitimate RMM tools can evade detection, the deployment of both SimpleHelp and ScreenConnect indicates an attempt to create a “redundant dual-channel access architecture” that enables continued operations even when either of them is detected and blocked.

It all begins with a phishing email impersonating the U.S. Social Security Administration (SSA), where the recipient is instructed to verify their email address and download a purported SSA statement by clicking on a link embedded in the message. The link points to a legitimate-but-compromised Mexican business website (“gruta.com[.]mx”), indicating a deliberate strategy to evade email spam filters.

The “SSA statement” is then downloaded from a second attacker-controlled domain (“server.cubatiendaalimentos.com[.]mx”), an executable that’s responsible for delivering the SimpleHelp RMM tool. It’s believed that the attacker gained access to a single cPanel user account on the legitimate hosting server to stage the binary.

As soon as the victim opens the JWrapper-packaged Windows executable, thinking it’s a document, the malware installs itself as a Windows service with Safe Mode persistence, makes sure it’s running by means of a “self-healing watchdog” that automatically restarts it when killed, and periodically enumerates registered security products using the rootSecurityCenter2 WMI namespace every 67 seconds, and polls user presence every 23 seconds.

To facilitate fully interactive desktop access, the SimpleHelp remote access client acquires SeDebugPrivilege via AdjustTokenPrivileges, while “elev_win.exe” – a legitimate executable file associated with the software – is used to gain SYSTEM-level privileges. This, in turn, allows the operator to read the screen, inject keystrokes, and access user-context resources.

This elevated remote access is then abused to download and install ConnectWise ScreenConnect, offering a fallback communication mechanism if the SimpleHelp channel is taken down.

“The deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set,” the researchers said. “The victim organization is left in a state where the attacker can return at any time, execute commands silently in the user’s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable U.K. vendor.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleApple Rolls Out E2EE for RCS Across iPhone and Android
Next Article OpenAI Launches ‘Daybreak’ to Help Build Secure By Design Software
Team-CWD
  • Website

Related Posts

News

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026
News

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

June 24, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why children’s data is a long-term identity risk

June 3, 2026

What it takes to fool facial recognition

March 14, 2026

Top IRS scams to look out for in 2026

February 10, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.