An active phishing campaign, identified as VENOMOUS#HELPER, has been targeting over 80 organizations since at least April 2025. This campaign utilizes legitimate Remote Monitoring and Management (RMM) software to establish persistent remote access to compromised systems, according to a report from Securonix.
Scope of the Campaign
The campaign has primarily affected organizations in the United States. It has been linked to previous activity clusters monitored by cybersecurity firms Red Canary and Sophos, the latter referring to it as STAC6405. While the identity of the attackers remains unconfirmed, the nature of the campaign suggests it is aligned with financially motivated Initial Access Brokers (IABs) or operations that may precede ransomware attacks.
Method of Attack
The phishing attack begins with emails impersonating the U.S. Social Security Administration (SSA). Recipients are prompted to verify their email addresses and download a supposed SSA statement via a link embedded in the email. This link directs users to a legitimate but compromised Mexican business website, indicating a calculated strategy to bypass email spam filters.
Once the victim clicks the link, they download an executable file from a second domain controlled by the attackers. This executable installs the SimpleHelp RMM tool on the victim’s system, allowing the attackers to maintain access. The attackers reportedly gained access through a compromised cPanel user account on the legitimate hosting server.
Technical Details of the Malware
The malware, once executed, installs itself as a Windows service with Safe Mode persistence. It employs a self-healing mechanism to restart itself if terminated and periodically checks for registered security products. The SimpleHelp client acquires elevated privileges, enabling the operator to read screens, inject keystrokes, and access user resources.
Additionally, the attackers install ConnectWise ScreenConnect as a backup communication channel, ensuring continued access even if the primary method is detected and blocked. The version of SimpleHelp deployed (5.0.1) offers extensive remote administration capabilities, allowing attackers to execute commands silently and transfer files bidirectionally.
Implications for Victims
The use of legitimate software in this campaign complicates detection efforts, as standard antivirus solutions may not flag the activity. Victim organizations are left vulnerable, with attackers able to return at any time to exploit the compromised systems.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
