Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

Source: The Hacker News

Overview

An active phishing campaign, codenamed VENOMOUS#HELPER, has been observed since at least April 2025. The operation leverages legitimate Remote Monitoring and Management (RMM) tools—SimpleHelp and ConnectWise ScreenConnect—to establish persistent remote access on compromised hosts.

Securonix reports that the campaign has impacted over 80 organizations, primarily in the United States. The activity overlaps with clusters previously tracked by Red Canary and Sophos (identified as STAC6405). While the threat actor remains unidentified, the tactics align with financially motivated Initial Access Brokers (IABs) or ransomware precursor groups.

“In this case, customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim,” — researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, Securonix.

Attack Flow

1. Phishing Email

• Sender impersonation: U.S. Social Security Administration (SSA).
• Message: Recipients are instructed to verify their email address and download an “SSA statement.”
• Malicious link: Points to a compromised Mexican business site (gruta.com.mx), chosen to evade spam filters.

2. Delivery of the SimpleHelp Payload

• The link redirects to a second attacker‑controlled domain (server.cubatiendaalimentos.com.mx).
• An executable (packaged with JWrapper) is downloaded, which installs the SimpleHelp RMM client.

3. Persistence and Self‑Healing

• The malware registers as a Windows service with Safe Mode persistence.
• A “self‑healing watchdog” restarts the service if it is terminated.
• It enumerates installed security products via the root\SecurityCenter2 WMI namespace every 67 seconds and polls user presence every 23 seconds.

4. Privilege Escalation

• The SimpleHelp client obtains SeDebugPrivilege using AdjustTokenPrivileges.
• The legitimate elev_win.exe binary is leveraged to acquire SYSTEM privileges, enabling full desktop interaction (screen capture, keystroke injection, file transfer).

// Example of AdjustTokenPrivileges usage (illustrative only)
BOOL result = AdjustTokenPrivileges(
    hToken, FALSE, &tp, 0, NULL, NULL);

5. Deployment of a Fallback RMM

• After establishing control via SimpleHelp, the attacker installs ConnectWise ScreenConnect as a secondary channel.
• This dual‑channel architecture ensures continued access even if one tool is detected and blocked.

Impact

• Remote administration capabilities: Attackers can execute commands silently, transfer files bidirectionally, and pivot to adjacent systems.
• Evasion: Both SimpleHelp (v5.0.1) and ScreenConnect are signed by a reputable U.K. vendor, allowing them to bypass many signature‑based defenses.
• Persistence: The self‑healing service and SYSTEM‑level privileges make removal challenging without thorough forensic analysis.

Mitigation Recommendations

1. Email hygiene: Implement DMARC, DKIM, and SPF checks; educate users about SSA impersonation attempts.
2. Web filtering: Block access to known malicious domains (gruta.com.mx, cubatiendaalimentos.com.mx).
3. Endpoint detection: Deploy behavior‑based EDR solutions that can detect unusual service installations and privilege escalation patterns.
4. RMM control: Inventory all authorized RMM tools; restrict installation of unsigned or unexpected binaries.
5. Incident response: If SimpleHelp or ScreenConnect binaries are found on endpoints without a legitimate business case, isolate the host, collect forensic evidence, and remove the services using safe‑mode or offline tools.

References

• Securonix blog post: VENOMOUS#HELPER phishing campaign
• Red Canary analysis of RMM‑based phishing
• Sophos threat bulletin (STAC6405)
• Microsoft documentation for AdjustTokenPrivileges