VENOMOUS#HELPER Campaign Uses Legitimate RMM Tools to Compromise 80+ Organizations
A sophisticated phishing campaign has compromised over 80 organizations by deploying legitimate RMM tools to establish persistent, dual-channel remote access.
An active phishing campaign, identified as VENOMOUS#HELPER, has successfully compromised over 80 organizations, primarily within the United States, by leveraging legitimate Remote Monitoring and Management (RMM) software to establish persistent, unauthorized access The Hacker News. The campaign, which has been active since at least April 2025, is linked to activity clusters previously monitored by security firms Red Canary and Sophos, the latter of which tracks the threat as STAC6405 The Hacker News.
The attack chain begins with deceptive phishing emails masquerading as communications from the U.S. Social Security Administration (SSA). These emails prompt recipients to click a link to verify their email address and download a purported SSA statement. To bypass email security filters, attackers host these malicious links on compromised, legitimate websites, such as "gruta.com[.]mx," before redirecting victims to a second attacker-controlled domain, "server.cubatiendaalimentos.com[.]mx," to download the payload The Hacker News.
Once the victim executes the JWrapper-packaged Windows executable, the malware installs itself as a Windows service, utilizing a "self-healing watchdog" to ensure continuous operation, even if the process is terminated. The malware also maintains persistence by operating in Safe Mode and actively monitors for security software by polling the `root\SecurityCenter2` WMI namespace every 67 seconds. Furthermore, it tracks user activity by polling for presence every 23 seconds The Hacker News.
The primary payload is version 5.0.1 of the SimpleHelp RMM tool. To gain full control, the malware acquires `SeDebugPrivilege` and utilizes the legitimate `elev_win.exe` executable to escalate privileges to the SYSTEM level. This allows attackers to perform comprehensive remote administration, including screen monitoring, keystroke injection, and file transfers. As a redundancy measure, the attackers subsequently deploy ConnectWise ScreenConnect, creating a "dual-channel access architecture" that ensures they retain access even if one of the RMM tools is detected and blocked The Hacker News.
Security researchers suggest that the campaign is likely the work of a financially motivated Initial Access Broker or a precursor to a ransomware operation. Because the tools used are legitimately signed software from reputable vendors, they often evade signature-based antivirus detection, leaving victim organizations vulnerable to silent command execution and lateral movement within their networks The Hacker News.
The use of legitimate administrative tools for malicious purposes continues to be a preferred tactic for threat actors seeking to blend into normal network traffic. By abusing dual-channel access, attackers significantly increase the difficulty of remediation, as removing a single RMM agent is insufficient to fully evict the threat actor from the environment. Organizations are advised to monitor for unauthorized RMM deployments and scrutinize unexpected remote access tool activity as part of their broader defensive strategy.