{"id":801,"date":"2026-05-04T18:54:50","date_gmt":"2026-05-04T18:54:50","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=801"},"modified":"2026-05-04T18:54:50","modified_gmt":"2026-05-04T18:54:50","slug":"phishing-campaign-hits-80-orgs-using-simplehelp-and-screenconnect-rmm-tools","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=801","title":{"rendered":"Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 04, 2026<\/span><\/span><span class=\"p-tags\">Network Security \/ Endpoint Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqa_ifaDYXI_GirxdHpZgSiE6fjnNdCmviv3QO9JsRvy1ddAWCRfoNd032ANB7pNfFMS4hLEwkfNHPHC5MNwkhK6XRjbe_y8qzWGpXRsdqhMnnUMGguScuIYtcUNQqQlmZkY4BUXy-ue6fAlor8LOfvEZNZrOq0JrIbOc2jXXAUBarqlodfdsIshRq7dXi\/s1700-e365\/phishing-org.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.<\/p>\n<p>The activity, codenamed <strong>VENOMOUS#HELPER<\/strong>, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters previously tracked by <a href=\"https:\/\/redcanary.com\/blog\/threat-intelligence\/phishing-rmm-tools\/\">Red Canary<\/a> and Sophos, the latter of which has given it the moniker STAC6405. While it&#8217;s not clear who is behind the campaign, the cybersecurity company said it aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation.<\/p>\n<p>\u00abIn this case, a customized SimpleHelp and ScreenConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim,\u00bb researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee <a href=\"https:\/\/www.securonix.com\/blog\/venomous-helper-phishing-campaign\">said<\/a> in a report shared with The Hacker News.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/threatlabz-vpn-risk-2026-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ\/s728-e100\/zz-2-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Setting aside the fact that the use of legitimate RMM tools can evade detection, the deployment of both SimpleHelp and ScreenConnect indicates an attempt to create a \u00abredundant dual-channel access architecture\u00bb that enables continued operations even when either of them is detected and blocked.<\/p>\n<p>It all begins with a phishing email impersonating the U.S. Social Security Administration (SSA), where the recipient is instructed to verify their email address and download a purported SSA statement by clicking on a link embedded in the message. The link points to a legitimate-but-compromised Mexican business website (\u00abgruta.com[.]mx\u00bb), indicating a deliberate strategy to evade email spam filters.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjblWm6GIEienA1OGWMJ5fYEXYlRs7Eu788Qc7z0o7Xd0fDR7p_9xQSL-1xlO-Wg3jO6dHad-7p0Pgjzd5VYWDfOJk_-r9BN76KgrD5b3QUiIC_enfWKttaNfYMlRXFCyx744nq-wUqixK7wuJ45tiarAB6rO_dilmBNyTy5fhLWZIDieozoYITLRpZjHYC\/s1700-e365\/remote.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjblWm6GIEienA1OGWMJ5fYEXYlRs7Eu788Qc7z0o7Xd0fDR7p_9xQSL-1xlO-Wg3jO6dHad-7p0Pgjzd5VYWDfOJk_-r9BN76KgrD5b3QUiIC_enfWKttaNfYMlRXFCyx744nq-wUqixK7wuJ45tiarAB6rO_dilmBNyTy5fhLWZIDieozoYITLRpZjHYC\/s1700-e365\/remote.jpg\" alt=\"\" border=\"0\" data-original-height=\"612\" data-original-width=\"1030\"\/><\/a><\/div>\n<p>The \u00abSSA statement\u00bb is then downloaded from a second attacker-controlled domain (\u00abserver.cubatiendaalimentos.com[.]mx\u00bb), an executable that&#8217;s responsible for delivering the SimpleHelp RMM tool. It&#8217;s believed that the attacker gained access to a single cPanel user account on the legitimate hosting server to stage the binary.<\/p>\n<p>As soon as the victim opens the JWrapper-packaged Windows executable, thinking it&#8217;s a document, the malware installs itself as a Windows service with Safe Mode persistence, makes sure it&#8217;s running by means of a \u00abself-healing watchdog\u00bb that automatically restarts it when killed, and periodically enumerates registered security products using the root\\SecurityCenter2 WMI namespace every 67 seconds, and polls user presence every 23 seconds.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>To facilitate fully interactive desktop access, the SimpleHelp remote access client acquires SeDebugPrivilege via <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/securitybaseapi\/nf-securitybaseapi-adjusttokenprivileges\">AdjustTokenPrivileges<\/a>, while \u00abelev_win.exe\u00bb \u2013 a legitimate executable file associated with the software \u2013 is used to gain SYSTEM-level privileges. This, in turn, allows the operator to read the screen, inject keystrokes, and access user-context resources.<\/p>\n<p>This elevated remote access is then abused to download and install ConnectWise ScreenConnect, offering a fallback communication mechanism if the SimpleHelp channel is taken down.<\/p>\n<p>\u00abThe deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set,\u00bb the researchers said. \u00abThe victim organization is left in a state where the attacker can return at any time, execute commands silently in the user\u2019s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable U.K. vendor.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 04, 2026Network Security \/ Endpoint Security An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM)&hellip;<\/p>\n","protected":false},"author":1,"featured_media":802,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,825,882,390,827,863,1515,261],"class_list":["post-801","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-campaign","tag-hits","tag-orgs","tag-phishing","tag-rmm","tag-screenconnect","tag-simplehelp","tag-tools"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=801"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/801\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/802"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}