Phishing posing as the SSA and taking advantage of RMM tools for persistence: the VENOMOUS # HELPER campaign that affects more than 80 organizations

An active phishing campaign detected since at least April 2025 is exploiting confidence in legitimate remote management tools to achieve and maintain persistent access to corporate networks; the operator, identified by some scans as VENOMOUS # HELPER and related to clusters labeled by Sophos as STAC6405 has affected more than 80 organizations, mostly in the United States. The important thing is not just the initial deception - an email that is impersonated by the US Social Security Administration. US (SSA) and redirects to legitimate sites committed to avoid filters - but technical strategy: the installation of two RMM solutions (SimpleHelp and ConnectWise ScreenConnect) in a covert way to create a redundant remote access architecture who resist mitigation attempts.

The modus operandi combines social engineering tactics with "living off the land" techniques and signed software abuse: the malicious executable, packed with JWrapper and temporarily hosted in a legitimate compromised site, is installed as Windows service with persistence even in Safe Mode, incorporates a "watch dog" that self-relives the process when regular safety environment probes are completed and performed through WMI space consultations root\ SecurityCenter2. In addition, to enable full control of the user's desktop, the SpleHelp client requests SeDebugPrivilege and uses a legitimate component (elev _ win.exe) to climb to SYSTEM, allowing you to read screens, inject keys and tap laterally; if SpleHelp is detected, the actor installs ScreenConnect as a backup channel.

The implications are serious: defenders can see legitimate software and signed by a reliable supplier, while the attacker maintains persistence, side movements and possibility of return at any time. This pattern fits with activities of Initial Access Brokers (IAB) and pre-Ransomware operations: commit high-value access that is then sold or exploited in later phases. For organizations, the combination of targeted social engineering, staging in legitimate hosts and abuse of RMM tools reduces the effectiveness of signature-based controls and requires a behavioral and architectural detection approach.

In practical terms, the defenses must move on two fronts: prevention of initial access and detection / eradication of unauthorized MMR presence. In prevention, in addition to strengthening SPF / DMARC / DKIM and applying link and download sandboxing, it is critical to limit the ability to install software with privileges: apply minimum privilege policies, use white application lists (AppLocker or WDAC), and require explicit approval for installing RMM solutions. The protection of the web ecosystem and hosting is also essential: monitoring access to cPanel panels, rotating credentials and reviewing the integrity of hosting accounts that could be used for binary stage.

In detection and incidence, teams should look for concrete behaviors that reveal this operation: creation of persistent services that survive Safe Mode, processes that are automatically revived (watch dog), frequent consultations with WMI on safety products, regular user presence surveys, executions of elev _ win.exe or requests to SeDebugPrivilege, and the sudden appearance of RMM (SimpleHelp / ScreenConnect) customers in stations or servers. If there is suspicion, urgent actions include isolating the affected endpoints, collecting artifacts and memory for analysis, disabling unauthorized remote access, rotating credentials with privileges and re-establishing from clean copies if necessary.

In the practice of cyberintelligence and incident response, it is recommended to integrate detection rules that do not depend on signatures: alerts to changes in Windows services, automatic process restart patterns, unjustified privilege elevations and RMM communications to unusual or newly registered domains. Implementing network segmentation and side jump controls limits the ability to expand the commitment. Finally, the continuous training of users to recognize post posts that impose official institutions remains an essential link.

This campaign recalls that the fact that a binary is signed or comes from a known supplier does not make it benign by itself when it is installed without control. In order to deepen recommendations and mitigation frameworks on remote access tool abuse and Ransomware-related threats, official resources such as the CISA Ransomware Response Guide can be found in https: / / www.cisa.gov / stopransomware and industry analysis of RMM abuse in the bulletins of suppliers such as Sophos and Red Canary, for example in https: / / news.sophos.com / and https: / / redcanary.com / blog /. Acting now, combining mail hygiene, facility control and behavior-based detection, is the best way to mitigate this type of threat.