Fake SSA Emails Drive Venomous#Helper Phishing Campaign

Fake SSA Emails Drive Venomous#Helper Phishing Campaign

https://www.infosecurity-magazine.com/news/ssa-emails-venomous-helper-phishing/

Publish Date: 2026-05-05 10:00:00

Source Domain: www.infosecurity-magazine.com

A long-running phishing operation that abuses signed remote monitoring and management (RMM) software to plant silent, persistent backdoors on victim machines has compromised more than 80 organizations, predominantly in the US.

Codenamed Venomous#Helper and active since at least April 2025, the campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay to give operators two independent access channels on every infected host, according to new research from Securonix.

The activity overlaps with a cluster previously tracked by both Red Canary and Sophos, the latter assigning it the name STAC6405. Securonix has not attributed Venomous#Helper to a known group but assessed that it is consistent with a financially motivated initial access broker or a precursor to ransomware deployment.

Government Impersonation Drives Silent Installation

Infections began with an email impersonating the US Social Security Administration (SSA), instructing recipients to verify their address and download a statement.

Securonix found the link directed victims to a compromised Mexican business site, gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to a payload hosted on a separate compromised cPanel account. The researchers said the use of established .com.mx domains was a deliberate attempt to bypass secure email gateway reputation filtering.

The downloaded executable, named to look like a numbered government document, was a JWrapper-packaged binary signed by SimpleHelp Ltd with a valid Thawte certificate.

That signature produced a blue verified-publisher prompt rather than the red unknown-publisher warning typical of malware, which Securonix said was the only point in the chain that required victim interaction.

Read more on RMM abuse in phishing operations: Phishing Campaigns Drop RMM Tools for Remote Access

Dual-Channel Persistence and Automated Surveillance

Once approved, the installer registered a Windows service…

Source