Phishing Campaign Deploys SimpleHelp and ScreenConnect RMM Tools to Compromise 80+ Organizations

TL;DR A phishing campaign tracked as VENOMOUS#HELPER has compromised over 80 organizations, mostly in the U.S., since April 2025 by using customized SimpleHelp and ScreenConnect remote access tools. Attackers impersonate the U.S. Social Security Administration in emails, direct victims to compromised websites, and establish persistent dual-channel access with elevated privileges. The campaign aligns with financially motivated initial access brokers or ransomware precursor operations.

What happened

The campaign begins with phishing emails impersonating the U.S. Social Security Administration (SSA). Recipients are instructed to verify their email address and download a purported SSA statement via a link in the message. That link redirects to a legitimate-but-compromised Mexican business website (gruta.com[.]mx), a deliberate choice to evade email spam filters. The actual malware is then downloaded from a second attacker-controlled domain (server.cubatiendaalimentos.com[.]mx).

When the victim opens what appears to be a document—actually a JWrapper-packaged Windows executable—the malware begins its installation sequence. SimpleHelp installs as a Windows service with Safe Mode persistence and deploys a "self-healing watchdog" mechanism that automatically restarts the service if terminated. Version 5.0.1 of SimpleHelp is deployed in this campaign.

The malware immediately begins reconnaissance: it enumerates registered security products using the root\SecurityCenter2 WMI namespace every 67 seconds and polls for user presence every 23 seconds. To enable full interactive access, the SimpleHelp client acquires SeDebugPrivilege through AdjustTokenPrivileges and uses the legitimate executable elev_win.exe—associated with SimpleHelp itself—to elevate to SYSTEM-level privileges. This grants the attacker the ability to read the screen, inject keystrokes, and access user-context resources.

To create what researchers describe as a "redundant dual-channel access architecture," the attacker then downloads and installs ConnectWise ScreenConnect as a fallback communication mechanism. If one channel is detected and blocked, the operator retains access through the other.

The researchers behind the identification—Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee from Securonix—note that "the victim organization is left in a state where the attacker can return at any time, execute commands silently in the user's desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable U.K. vendor."

Why it matters

This campaign is significant for defenders in the MENA region for several reasons. First, it demonstrates how legitimate, signed remote access tools can be weaponized to bypass perimeter and endpoint defenses. The use of SYSTEM-level privileges means traditional user-context detection is bypassed. Second, the dual-channel architecture creates operational resilience—blocking SimpleHelp does not eject the attacker if ScreenConnect is already installed. Third, the reconnaissance loop (security product enumeration, user presence polling) suggests the attacker is adapting in real time to the environment before pivoting laterally.

For SOC analysts, this means that legitimate RMM tool activity cannot be assumed safe; context matters. For system administrators, this underscores the risk of user-executed binaries and the importance of application control policies. The campaign's financial motivation and alignment with IAB/ransomware precursor TTPs suggest that compromised organizations are high-value targets for follow-on extortion or data theft.

Affected systems and CVEs

SimpleHelp (version 5.0.1 confirmed in campaign)
ScreenConnect (ConnectWise ScreenConnect)
JWrapper (packaging framework for the initial executable)

No CVE assigned at the time of publication.

What to do

Monitor for and block phishing emails impersonating government agencies, particularly the U.S. Social Security Administration.
Implement or review email spam filtering rules to detect traffic from compromised third-party websites; gruta.com[.]mx and server.cubatiendaalimentos.com[.]mx should be blocked at the network boundary.
Monitor for unauthorized installations of SimpleHelp and ScreenConnect. Both tools require legitimate business justification and should be inventoried.
Deploy WMI query monitoring to alert on enumeration of the root\SecurityCenter2 namespace, particularly when triggered by unsigned or unusual processes.
Alert on calls to AdjustTokenPrivileges and the execution of elev_win.exe outside of legitimate maintenance windows.
Implement application whitelisting or execution policies to prevent unsigned or untrusted executables from running.
Review cPanel user accounts and hosting server access logs for unauthorized activity; a single compromised cPanel account was used to stage the initial payload.
If SimpleHelp or ScreenConnect is legitimately deployed in your environment, maintain strict version control and monitor for unexpected privilege elevation or WMI queries originating from the service context.

Open questions

The identity of the threat actor or group behind VENOMOUS#HELPER remains unconfirmed; attribution relies on operational patterns.
The full scope of affected organizations and targeted industries beyond the 80+ confirmed by Securonix is not disclosed.
It is unclear whether the compromise of the cPanel account hosting gruta.com[.]mx was targeted by the attacker or opportunistic.
The complete list of attacker-controlled domains and infrastructure used in the campaign has not been publicly detailed.
The current remediation status of the compromised hosting servers is not specified.