VENOMOUS#HELPER: SSA Phishing Drops Dual-RMM on 80+ Orgs by Living off Trusted Vendors
Securonix tracked a phishing campaign that has compromised more than 80 organizations — mostly U.S.-based — by abusing legitimate SimpleHelp and ConnectWise ScreenConnect remote-monitoring tools. The lure impersonates the U.S. Social Security Administration. The architecture is dual-RMM redundancy: when defenders detect one channel, the other persists.
Securonix Threat Research published findings on May 4, 2026, on a phishing campaign tracked as VENOMOUS#HELPER that has impacted more than 80 organizations, primarily in the United States, since at least April 2025. The campaign abuses legitimately licensed remote-monitoring-and-management (RMM) tools — specifically SimpleHelp and ConnectWise ScreenConnect — to establish persistent remote access, bypassing signature-based defenses that allow-list these widely deployed IT-support products. The activity overlaps with clusters previously tracked by Red Canary and Sophos; Sophos refers to the cluster as STAC6405. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee assess the campaign aligns with a financially motivated Initial Access Broker or ransomware precursor operation.
The single most consequential operational detail: this is dual-RMM by design. Once the SimpleHelp client is installed and elevated to SYSTEM, attackers download and install ConnectWise ScreenConnect as a fallback channel. Securonix calls this "redundant dual-channel access architecture" — engineered so that if defenders detect and remove one tool, the other remains active. As the researchers wrote: standard antivirus and signature-based controls "see nothing but legitimately signed software from a reputable U.K. vendor."
| VENOMOUS#HELPER Campaign Profile | |
|---|---|
| Detail | Information |
| Researcher | Securonix Threat Research (Akshay Gaikwad, Shikha Sangwan, Aaron Beardslee) |
| Campaign name | VENOMOUS#HELPER (Securonix); STAC6405 (Sophos cluster); also tracked by Red Canary |
| Active since | At least April 2025 |
| Organizations affected | More than 80, mostly U.S.-based |
| Phishing lure | Emails impersonating the U.S. Social Security Administration (SSA) |
| Primary RMM tool | Customized SimpleHelp (version 5.0.1) |
| Privilege escalation | SimpleHelp client acquires SeDebugPrivilege via AdjustTokenPrivileges; legitimate elev_win.exe used for SYSTEM-level access |
| Secondary RMM tool | ConnectWise ScreenConnect — installed via SYSTEM-elevated SimpleHelp as fallback channel |
| Assessed motivation | Financially motivated Initial Access Broker (IAB) or ransomware precursor operation |
The SSA Lure and Why It Works
The phishing emails impersonate the U.S. Social Security Administration. The SSA lure works because of three structural features. First, it has government-authority weight — recipients treat SSA correspondence as legitimately consequential and respond with attention they might not give a Dropbox notice or a fake invoice. Second, SSA-themed phishing is harder for users to dismiss as obviously suspicious because real SSA communications do exist and do require user action. Third, SSA-themed lures broaden the targeting beyond IT-savvy employees — they reach finance, HR, payroll, and individual contributors whose personal benefits decisions might plausibly require attention.
The infection pathway lands on a customized SimpleHelp client (version 5.0.1, per Securonix). Once executed, the SimpleHelp installer establishes the first remote-access channel. Because SimpleHelp is a legitimate, code-signed product from a reputable U.K. vendor, the binary itself does not trigger antivirus or EDR signature alerts. Detection at this stage requires behavioral analytics — recognizing that an RMM tool is being installed outside change-control windows, on an endpoint not normally managed by SimpleHelp, by a process chain that traces back to an email attachment.
The Privilege-Escalation Chain
This is the technically novel part of the campaign. Securonix documents that the SimpleHelp remote-access client acquires SeDebugPrivilege via AdjustTokenPrivileges — the standard Windows API call that allows a process to enable privileges already in its access token. Once SeDebugPrivilege is enabled, the client invokes elev_win.exe, a legitimate executable that ships with SimpleHelp, to gain SYSTEM-level privileges.
The choice of elev_win.exe matters because it is signed and shipped by SimpleHelp itself. EDR products that trust signed binaries from vetted vendors will see SYSTEM elevation happen via a legitimate code-signed pathway. The behavioral signal is not "unsigned binary elevating to SYSTEM" — it is "SimpleHelp running on a host that is not part of our SimpleHelp deployment, elevating to SYSTEM." That distinction is the difference between detection and miss for most signature-based controls.
With SYSTEM privileges, attackers gain the full remote-access capability set: screen reading, keystroke injection, access to user-context resources (browsers, password managers, mounted shares). At this point, the operator drops the second RMM client.
Dual-RMM Redundancy: The Architectural Choice
Once SYSTEM is achieved via SimpleHelp, the operator downloads and installs ConnectWise ScreenConnect. Both tools then run concurrently — not as alternatives, but as redundant access channels. Securonix's framing is precise: "redundant dual-channel access architecture" that ensures continued operations even when either channel is detected and blocked.
This is what makes VENOMOUS#HELPER different from the broader pattern of single-tool RMM abuse seen in cargo-theft campaigns and IRS-impersonation campaigns over the past year. When a defender remediates a SimpleHelp infection, they have not necessarily ended the intrusion. The ScreenConnect channel persists. When the defender realizes ScreenConnect is also installed and remediates that, the operator may still have SimpleHelp active — and may have used the dwell time to install additional persistence mechanisms. Securonix summarized the resulting victim posture: "the attacker can return at any time, execute commands silently in the user's desktop session, transfer files bidirectionally, and pivot to adjacent systems."
The financially motivated assessment matters for defender prioritization. An Initial Access Broker model means VENOMOUS#HELPER is selling access to its 80-plus compromised organizations to ransomware operators. The same victim may face encryption or extortion months after the initial compromise. The detection-and-eviction window for victims is shrinking as IAB-to-ransomware time-to-impact has compressed across 2025–2026. Adjacent context lands inside the broader cybercrime velocity story Europol documented in IOCTA 2026.
Defender Actions for This Week
- Inventory RMM tools deployed in your environment and establish an allow-list, not a deny-list. SimpleHelp, ConnectWise ScreenConnect, AnyDesk, TeamViewer, Atera, NinjaOne, Splashtop, and others are all legitimate tools being abused. Document approved versions, deployment scopes, and authorized signers — and alert on anything outside that profile. Behavioral signals (unexpected file paths, unrecognized signing certificates, unusual registry entries) are higher-fidelity than signatures.
- Hunt for RMM installation events outside change-control windows. RMM tools should be installed only as part of IT onboarding or a tracked change ticket. Installations outside those windows — particularly on executive, finance, or HR endpoints — warrant immediate investigation. EDR rules can detect installation events with high fidelity if the behavior baseline is established.
- Specifically hunt for both SimpleHelp 5.0.1 and ConnectWise ScreenConnect on the same host. The dual-RMM redundancy architecture makes co-presence a high-value detection signal. Even if your environment legitimately uses one of these tools, the presence of both — particularly on endpoints where neither is the documented standard — is suspicious.
- Block outbound connections from RMM client processes to unfamiliar infrastructure. Most RMM tools call home to a known set of vendor domains. Allowlist those; alert on any RMM client establishing connections to unrecognized domains or IPs. This is a high-fidelity signal of malicious RMM use.
- Add SSA-impersonation lures to phishing-simulation catalogs. The combination of government authority, plausible action requirement, and broad targeting (beyond IT-aware staff) is a gap most awareness programs underweight. Run a quarterly simulation; measure click and credential-submission rates.
- Brief help-desk and IT-support staff on the social-engineering vector. Reinforce that legitimate IT will never ask users to install remote-access software via an email link or a phone call without an out-of-band verification process. The same vishing-and-help-desk pattern that drove Cordial Spider, Snarky Spider, and similar threat clusters applies here.
The CyberSignal Analysis
Signal 01 — Living-off-the-trusted-vendor is the new edge over LotL
Living-off-the-land tradecraft used native Windows binaries (PowerShell, certutil, bitsadmin) to execute malicious behavior under signed Microsoft binaries. Living-off-the-trusted-vendor extends that logic: attackers use signed third-party software from reputable vendors that defenders have already allow-listed. SimpleHelp and ConnectWise ScreenConnect are not malware; they are legitimate IT tools with valid code signatures. Defending against their abuse requires moving the detection question from "is this binary trusted?" to "is this binary running where it is supposed to be running?" That shift demands behavioral analytics, baseline-aware EDR rules, and asset inventory that knows which RMM tools are authorized on which endpoints. Most organizations are not there yet.
Signal 02 — Dual-RMM redundancy raises the eviction bar
The architectural choice to deploy two RMM tools concurrently is an attacker response to defender capability. A single-tool intrusion can be remediated in one EDR playbook run; dual-tool intrusions require either both tools being detected simultaneously or a thorough hunt across the environment. The realistic defender posture is that any RMM detection should trigger a hunt for additional RMM tools on the same host, not just the one detected. Treat RMM as a class detection — when one is found where it should not be, look for others. The Securonix research is the clearest documentation yet that this is now standard tradecraft, not an outlier.
Signal 03 — The IAB-to-ransomware time horizon is the real risk window
VENOMOUS#HELPER's assessed financial motivation as an Initial Access Broker means the 80-plus victim organizations are already in a market — their access is being sold or held for sale to ransomware operators. The compromise-to-impact timeline for IAB victims has compressed substantially over 2024–2026; the historical six-to-twelve-month dwell time has shortened, in many documented cases, to weeks. Organizations that detected an SSA-themed phishing event in 2025 and did not perform a full RMM hunt may already be on a leak site without knowing it. The honest framing for any organization with even partial indicators of this campaign is that retrospective hunt is not optional. The cost of not finding latent dual-RMM persistence in your environment is not "what if attackers come back" — it is "when does the encryption notice land."
