AN active phishing campaign codenamed VENOMOUS#HELPER has been observed targeting multiple vectors since at least April 2025, using legitimate Remote Monitoring and Management (RMM) software to gain persistent remote access to compromised hosts, according to Securonix. It has impacted over 80 organisations, most of which are in the U.S., and shares overlaps with clusters previously tracked by Red Canary and Sophos, the latter of which has given it the moniker STAC6405.
While it is not clear who is behind the campaign, the security company said it aligns with a financially motivated Initial Access Broker (IAB) or a ransomware precursor operation. Researchers Akshay Gaikwad, Shikha Sangwan and Aaron Beardslee noted that the campaign uses a customized SimpleHelp and ScreenConnect RMMs to bypass defenses, with the goal of creating a redundant dual-channel access architecture for ongoing operations. The campaign begins with a phishing email impersonating the U.S.
Social Security Administration, directing recipients to download an SSA statement from a compromised domain, leading to the deployment of SimpleHelp and, subsequently, ScreenConnect for remote access.