A long-running phishing operation that abuses signed remote monitoring and management (RMM) software to plant silent, persistent backdoors on victim machines has compromised more than 80 organizations, predominantly in the US.

Codenamed Venomous#Helper and active since at least April 2025, the campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay to give operators two independent access channels on every infected host, according to new research from Securonix.

The activity overlaps with a cluster previously tracked by both Red Canary and Sophos, the latter assigning it the name STAC6405. Securonix has not attributed Venomous#Helper to a known group but assessed that it is consistent with a financially motivated initial access broker or a precursor to ransomware deployment.

Government Impersonation Drives Silent Installation

Infections began with an email impersonating the US Social Security Administration (SSA), instructing recipients to verify their address and download a statement.

Securonix found the link directed victims to a compromised Mexican business site, gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to a payload hosted on a separate compromised cPanel account. The researchers said the use of established .com.mx domains was a deliberate attempt to bypass secure email gateway reputation filtering.

The downloaded executable, named to look like a numbered government document, was a JWrapper-packaged binary signed by SimpleHelp Ltd with a valid Thawte certificate.

That signature produced a blue verified-publisher prompt rather than the red unknown-publisher warning typical of malware, which Securonix said was the only point in the chain that required victim interaction.

Read more on RMM abuse in phishing operations: Phishing Campaigns Drop RMM Tools for Remote Access

Dual-Channel Persistence and Automated Surveillance

Once approved, the installer registered a Windows service called "Remote Access Service" and wrote to the SafeBoot\Network registry hive, ensuring it survives Safe Mode reboots.

A liveness watchdog monitored the RAT process and restarted it automatically if killed. The SimpleHelp build deployed was a cracked 2017 package whose certificate expired in 2018, indicating the operators incurred no licensing cost or vendor paper trail.

In a one-hour observation, Securonix recorded 986 process-creation events generated solely by background polling, with no operator interaction.

Three loops ran concurrently: a WiFi interface check every 15 seconds, mouse-position polling every 23 seconds and a synchronized security-product enumeration sweep every 67 seconds. The mouse-position loop, researchers said, suggested operators waited for a victim to step away before engaging hands-on-keyboard.

Securonix also flagged a notable evasion technique in which the RAT executed WMIC queries via a renamed copy of the binary, stored as wmic.exe.bak, thereby defeating EDR rules keyed to the original filename. The file should be treated as a high-confidence indicator of compromise.

The dual-RMM design was intentional. As the Securonix researchers noted in their advisory, "when the malware is the IT management software, the only thing that catches it is the behavior it leaves behind." 

Defenders were urged to deploy high-fidelity endpoint telemetry systems, maintain approved-tool inventories and hunt for anomalous process lineage from signed RMM binaries.