[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffja0xsvXOdX6pNct7I4mm6UAdkQwDL4dHweMO78mskE":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"0105612a-83a7-45c5-a1e3-a0be07524dd0","Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools","phishing-campaign-hits-80-orgs-using-simplehelp-and-screenconnect-rmm-tools-c26330","An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters","An active phishing campaign tracked as VENOMOUS#HELPER (also STAC6405) has compromised over 80 organizations since April 2025, primarily in the U.S., using legitimate RMM software to establish persistent remote access. Attackers impersonate the U.S. Social Security Administration in phishing emails, directing victims to download malware that installs SimpleHelp and ScreenConnect as a redundant dual-channel access architecture. The compromise enables SYSTEM-level privilege escalation, screen reading, keystroke injection, and lateral movement while evading signature-based detection.","Phishing campaign VENOMOUS#HELPER targets 80+ orgs using SimpleHelp and ScreenConnect RMM tools for persistent access.","Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools Ravie LakshmananMay 04, 2026Network Security \u002F Endpoint Security An active phishing campaign has been observed targeting multiple vectors since at least April 2025 with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters previously tracked by Red Canary and Sophos, the latter of which has given it the moniker STAC6405. While it's not clear who is behind the campaign, the cybersecurity company said it aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation. \"In this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim,\" researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. Setting aside the fact that the use of legitimate RMM tools can evade detection, the deployment of both SimpleHelp and ScreenConnect indicates an attempt to create a \"redundant dual-channel access architecture\" that enables continued operations even when either of them is detected and blocked. It all begins with a phishing email impersonating the U.S. Social Security Administration (SSA), where the recipient is instructed to verify their email address and download a purported SSA statement by clicking on a link embedded in the message. The link points to a legitimate-but-compromised Mexican business website (\"gruta.com[.]mx\"), indicating a deliberate strategy to evade email spam filters. The \"SSA statement\" is then downloaded from a second attacker-controlled domain (\"server.cubatiendaalimentos.com[.]mx\"), an executable that's responsible for delivering the SimpleHelp RMM tool. It's believed that the attacker gained access to a single cPanel user account on the legitimate hosting server to stage the binary. As soon as the victim opens the JWrapper-packaged Windows executable, thinking it's a document, the malware installs itself as a Windows service with Safe Mode persistence, makes sure it's running by means of a \"self-healing watchdog\" that automatically restarts it when killed, and periodically enumerates registered security products using the root\\SecurityCenter2 WMI namespace every 67 seconds, and polls user presence every 23 seconds. To facilitate fully interactive desktop access, the SimpleHelp remote access client acquires SeDebugPrivilege via AdjustTokenPrivileges, while \"elev_win.exe\" – a legitimate executable file associated with the software – is used to gain SYSTEM-level privileges. This, in turn, allows the operator to read the screen, inject keystrokes, and access user-context resources. This elevated remote access is then abused to download and install ConnectWise ScreenConnect, offering a fallback communication mechanism if the SimpleHelp channel is taken down. \"The deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set,\" the researchers said. \"The victim organization is left in a state where the attacker can return at any time, execute commands silently in the user’s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable U.K. vendor.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data breach, endpoint security, Malware, network security, Phishing, ransomware, Remote Access, social engineering, Threat Intelligence ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fphishing-campaign-hits-80-orgs-using.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjqa_ifaDYXI_GirxdHpZgSiE6fjnNdCmviv3QO9JsRvy1ddAWCRfoNd032ANB7pNfFMS4hLEwkfNHPHC5MNwkhK6XRjbe_y8qzWGpXRsdqhMnnUMGguScuIYtcUNQqQlmZkY4BUXy-ue6fAlor8LOfvEZNZrOq0JrIbOc2jXXAUBarqlodfdsIshRq7dXi\u002Fs1600\u002Fphishing-org.jpg","2026-05-04T18:06:00+00:00","2026-05-04T20:00:22.365853+00:00",9,[18,21,23,26,28,30],{"name":19,"type":20},"VENOMOUS#HELPER","campaign",{"name":22,"type":20},"STAC6405",{"name":24,"type":25},"SimpleHelp","product",{"name":27,"type":25},"ScreenConnect",{"name":29,"type":25},"ConnectWise ScreenConnect",{"name":31,"type":32},"Securonix","vendor","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,54,57],{"type":51,"value":52,"context":53},"domain","gruta.com.mx","Legitimate compromised Mexican business website used in phishing redirect",{"type":51,"value":55,"context":56},"server.cubatiendaalimentos.com.mx","Attacker-controlled domain hosting malicious SSA statement executable",{"type":37,"value":58,"context":59},"elev_win.exe","Legitimate ScreenConnect executable abused for privilege escalation to SYSTEM level"]