Phishing uses SimpleHelp and ScreenConnect to hit 80+ US orgs
A phishing campaign using SimpleHelp and ScreenConnect RMMs has compromised more than 80 mainly U.S. organizations since April 2025 via SSA-themed emails and executables hosted on compromised Mexican sites.
Since April 2025, a phishing campaign has used legitimate remote monitoring and management tools to gain persistent access to more than 80 organizations, most in the United States, Securonix reported. The activity is tracked as VENOMOUS#HELPER.
The intrusion starts with an email impersonating the U.S. Social Security Administration that asks recipients to verify an address and download a purported SSA statement. The message first links to a legitimate but compromised Mexican business site, gruta.com.mx, and then to an attacker-controlled domain, server.cubatiendaalimentos.com.mx, which serves a JWrapper-packaged Windows executable. When opened, that executable installs a customized SimpleHelp remote access client.
Securonix analysts believe the payload was staged by accessing a cPanel account on the hosting server. The SimpleHelp client installs as a Windows service, sets Safe Mode persistence, and includes a self-healing watchdog that restarts the service if it is terminated. The malware queries registered security products through the root\\SecurityCenter2 WMI namespace every 67 seconds and polls for user presence every 23 seconds.
To enable interactive desktop control, the client acquires SeDebugPrivilege via AdjustTokenPrivileges and uses a legitimate component, elev_win.exe, to obtain SYSTEM-level rights. With those privileges, operators can view the screen, inject keystrokes, transfer files in both directions, and access resources available to the logged-in user. The attackers also install ConnectWise ScreenConnect as a fallback channel, creating a redundant dual-channel access setup.
Securonix reported more than 80 affected organizations, most in the U.S., and noted overlaps with clusters tracked by other responders. Sophos has labeled related activity STAC6405. The Securonix report says the pattern aligns with a financially motivated initial access broker or an operation preparing systems for ransomware, though no public attribution has been made.
The report includes a technical assessment: “The deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set,” it wrote. The assessment adds that attackers can return to compromised systems, execute commands in a user’s desktop session, transfer files, and pivot to adjacent systems while standard antivirus and signature-based controls can treat the software as legitimate.
The report lists technical indicators to identify potential compromise, including unexpected SimpleHelp or ScreenConnect installations, anomalous service behavior, Safe Mode persistence, automatic service restarts, periodic WMI queries, and use of AdjustTokenPrivileges and elev_win.exe.
