A large-scale phishing campaign leveraging legitimate remote management software has compromised more than 80 organizations since at least April 2025, according to new findings from cybersecurity firm Securonix.
The operation, dubbed ‘VENOMOUS#HELPER,’ mainly targets US-based entities and appears to be financially motivated. Researchers say the activity overlaps with known threat clusters, including one tracked by Sophos as ‘STAC6405.’ While it’s unclear, who is behind the campaign, the used tactics suggest that the perpetrator may be an initial access broker or ransomware precursor groups.
VENOMOUS#HELPER leverages customized versions of the SimpleHelp and ConnectWise ScreenConnect RMM tools to establish persistent access on infected systems. The attackers deploy both tools simultaneously, creating a “redundant dual-channel access architecture” that ensures continued control even if one access path is blocked.
The attack chain begins with a phishing email masquerading as a message from the US Social Security Administration. Recipients are prompted to verify their email address and download what appears to be an official statement. The embedded link leads to a compromised legitimate Mexican business website; from there, victims are redirected to a second attacker-controlled domain to download a malicious executable disguised as a document.
“This URL reveals a cPanel legacy shared hosting compromise. The tilde (~) prefix and username path (tiendazoycom) indicate the attacker gained access to a single cPanel user account on the legitimate hosting server, not the root server itself,” Securonix explained.
The payload installs the SimpleHelp client as a persistent Windows service with Safe Mode functionality and a mechanism that restarts the service if it is terminated. The malware also conducts regular system checks, including monitoring installed security tools and user activity.
It elevates its privileges to SYSTEM level, allowing attackers to view screens, log keystrokes, and access sensitive data. The compromised system is then used to install ScreenConnect, providing a backup access channel in case the initial connection is disrupted.