VENOMOUS#HELPER campaign abuses SimpleHelp and ScreenConnect to backdoor 80+ orgs

A phishing operation tracked as VENOMOUS#HELPER has compromised more than 80 organizations, predominantly in the U.S., by weaponizing legitimate Remote Monitoring and Management software. Securonix researchers say the activity overlaps with clusters Sophos calls STAC6405 and bears the hallmarks of an Initial Access Broker or ransomware precursor. Lures impersonate the U.S. Social Security Administration, directing victims through a compromised Mexican business site to a JWrapper-packaged Windows executable that masquerades as an SSA statement and silently installs a customized SimpleHelp 5.0.1 client.

Once executed, the implant registers as a Windows service with Safe Mode persistence, runs a self-healing watchdog that revives killed processes, and polls SecurityCenter2 WMI every 67 seconds to fingerprint installed defenses. The SimpleHelp client escalates to SYSTEM by acquiring SeDebugPrivilege through AdjustTokenPrivileges and abusing the signed elev_win.exe binary, granting full interactive desktop control, keystroke injection, and bidirectional file transfer. ConnectWise ScreenConnect is then dropped as a redundant secondary channel so access survives if one tool is detected.

The defining tradecraft is reliance on signed, reputable vendor software to bypass signature-based controls — defenders see legitimate U.K.-signed binaries rather than malware. The dual-RMM architecture creates resilient remote access suitable for hands-on-keyboard operations, lateral movement, and eventual ransomware staging, while staging infrastructure on a hijacked cPanel account on a legitimate Mexican host reduces email-filter signal.