Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools

The VENOMOUS#HELPER campaign underscores a growing trend: threat actors are hijacking legitimate Remote Monitoring and Management (RMM) platforms to slip past perimeter defenses. By impersonating the U.S. Social Security Administration, the phishing emails achieve high open rates, while the malicious links point to compromised Mexican domains that host a JWrapper‑packed executable. Once executed, the payload installs SimpleHelp, a reputable UK‑based remote‑support tool, and later adds ConnectWise ScreenConnect as a fallback, creating a dual‑channel foothold that can survive the removal of either component.

Technically, the attack chain is sophisticated. The Windows executable registers as a service with Safe Mode persistence and launches a self‑healing watchdog that restarts the process if terminated. It escalates privileges by acquiring SeDebugPrivilege and leveraging the legitimate elev_win.exe to gain SYSTEM rights, enabling full desktop interaction, keystroke injection, and file transfers. The malware also polls the system’s security product list every 67 seconds via WMI, allowing the operators to adapt their tactics in real time. This layered approach—combining signed binaries, privilege escalation, and redundant remote‑access channels—makes signature‑based detection largely ineffective.

For enterprises, the campaign is a stark reminder that trusted remote‑access tools can become attack vectors. Organizations should enforce strict inventory and usage policies for RMM software, implement multi‑factor authentication for privileged actions, and deploy behavior‑analytics solutions that flag anomalous service installations or unusual privilege escalations. Network segmentation can limit lateral movement, while continuous threat‑intel sharing helps security teams stay ahead of evolving RMM abuse tactics. Adopting these controls reduces the attack surface and improves resilience against sophisticated initial‑access brokers.