A long-running phishing operation that abuses signed remote monitoring and management (RMM) software to plant silent, persistent backdoors on victim machines has compromised more than 80 organisations, predominantly in the US. Codenamed Venomous#Helper and active since at least April 2025, the campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay to give operators two independent access channels on every infected host, according to new research from Securonix.
The activity overlaps with a cluster previously tracked by both Red Canary and Sophos, the latter assigning it the name STAC6405, and Securonix has assessed that it is consistent with a financially motivated initial access broker or a precursor to ransomware deployment.
Infections began with an email impersonating the US Social Security Administration, directing recipients to verify their address and download a statement, with the link leading to a compromised gruta.com[.]mx site before redirecting to a payload hosted on a compromised cPanel account. The downloaded executable was a JWrapper-packaged binary signed by SimpleHelp Ltd with a valid Thawte certificate, producing a blue verified-publisher prompt rather than a red unknown-publisher warning.