Fake SSA Emails Fuel Venomous#Helper Phishing Attacks

A sophisticated phishing campaign, active since at least April 2025 and tracked as Venomous#Helper, has breached over 80 organizations, with the vast majority located in the United States. The operation exploits legitimate Remote Monitoring and Management (RMM) software to install covert, persistent backdoors on compromised systems.

According to a detailed analysis from Securonix, the attack chain deploys a self-hosted SimpleHelp 5.0.1 instance alongside a ConnectWise ScreenConnect relay. This dual-RMM architecture provides attackers with two independent access channels on each infected host, significantly complicating detection and removal efforts.

The campaign shares behavioral overlaps with a cluster previously documented by Red Canary and Sophos, the latter referring to it as STAC6405. While Securonix has not attributed Venomous#Helper to any specific threat group, the researchers assess its tactics, techniques, and procedures (TTPs) are consistent with a financially motivated initial access broker or a precursor to ransomware deployment.

Government Impersonation Bypasses Security Filters

The infection chain begins with a deceptive email impersonating the US Social Security Administration (SSA). Recipients are instructed to verify their address and download a statement. The embedded link directs victims to a compromised Mexican business domain, gruta[.]com.mx, which hosts an SSA-branded credential harvesting page. From there, users are redirected to a payload hosted on a separate compromised cPanel account.

Securonix noted that the use of established .com.mx domains was a deliberate tactic to evade secure email gateway reputation filtering. The downloaded executable, disguised as a numbered government document, is a JWrapper-packaged binary signed by SimpleHelp Ltd with a valid Thawte certificate. This legitimate signature triggers a blue verified-publisher prompt instead of the red unknown-publisher warning typical of malware. Researchers emphasized that this approval step was the only point in the entire infection chain requiring victim interaction.

Dual-Channel Persistence and Automated Surveillance

Once the victim approves the installation, the installer creates a Windows service named “Remote Access Service” and writes to the SafeBoot\Network registry hive. This ensures the backdoor survives even Safe Mode reboots. A liveness watchdog continuously monitors the RAT process and automatically restarts it if terminated.

The deployed SimpleHelp build is a cracked 2017 package whose certificate expired in 2018, indicating the operators avoided licensing costs and left no vendor paper trail. During a one-hour observation, Securonix recorded 986 process-creation events generated solely by background polling, with no operator interaction.

Three concurrent monitoring loops run on each infected host: a WiFi interface check every 15 seconds, mouse-position polling every 23 seconds, and a synchronized security-product enumeration sweep every 67 seconds. The mouse-position loop, researchers noted, suggests operators wait for the victim to step away before engaging in hands-on-keyboard activity.

Securonix also flagged a notable evasion technique: the RAT executes WMIC queries via a renamed copy of the binary stored as wmic.exe.bak. This defeats EDR rules keyed to the original filename. The file should be treated as a high-confidence indicator of compromise.

As the Securonix researchers observed, “when the malware is the IT management software, the only thing that catches it is the behavior it leaves behind.” Defenders are urged to deploy high-fidelity endpoint telemetry systems, maintain approved-tool inventories, and hunt for anomalous process lineage from signed RMM binaries.