{"id":240107,"date":"2026-05-05T10:00:00","date_gmt":"2026-05-05T14:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/05\/fake-ssa-emails-drive-venomoushelper-phishing-campaign\/"},"modified":"2026-05-06T06:40:09","modified_gmt":"2026-05-06T10:40:09","slug":"fake-ssa-emails-drive-venomoushelper-phishing-campaign","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/05\/fake-ssa-emails-drive-venomoushelper-phishing-campaign\/","title":{"rendered":"Fake SSA Emails Drive Venomous#Helper Phishing Campaign"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ssa-emails-venomous-helper-phishing\/\">Fake SSA Emails Drive Venomous#Helper Phishing Campaign<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ssa-emails-venomous-helper-phishing\/\">https:\/\/www.infosecurity-magazine.com\/news\/ssa-emails-venomous-helper-phishing\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-05 10:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A long-running phishing operation that abuses signed remote monitoring and management (RMM) software to plant silent, persistent backdoors on victim machines has compromised more than 80 organizations, predominantly in the US.<\/p>\n<p>Codenamed Venomous#Helper\u00a0and active since at least April 2025, the campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay to give operators two independent access channels on every infected host, according to new research from Securonix.<\/p>\n<p>The activity overlaps with a cluster previously tracked by both Red Canary and Sophos, the latter assigning it the name STAC6405. Securonix has not attributed Venomous#Helper to a known group but assessed that it is consistent with a financially motivated initial access broker or a precursor to ransomware deployment.<\/p>\n<h2><strong>Government Impersonation Drives Silent Installation<\/strong><\/h2>\n<p>Infections began with an email impersonating the US Social Security Administration (SSA), instructing recipients to verify their address and download a statement.<\/p>\n<p>Securonix found the link directed victims to a compromised Mexican business site, gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to a payload hosted on a separate compromised cPanel account. The researchers said the use of established .com.mx domains was a deliberate attempt to bypass secure email gateway reputation filtering.<\/p>\n<p>The downloaded executable, named to look like a numbered government document, was a JWrapper-packaged binary signed by SimpleHelp Ltd with a valid Thawte certificate.<\/p>\n<p>That signature produced a blue verified-publisher prompt rather than the red unknown-publisher warning typical of malware, which Securonix said was the only point in the chain that required victim interaction.<\/p>\n<p>Read more on RMM abuse in phishing operations: Phishing Campaigns Drop RMM Tools for Remote Access<\/p>\n<h2><strong>Dual-Channel Persistence and Automated Surveillance<\/strong><\/h2>\n<p>Once approved, the installer registered a Windows service&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ssa-emails-venomous-helper-phishing\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fake SSA Emails Drive Venomous#Helper Phishing Campaign https:\/\/www.infosecurity-magazine.com\/news\/ssa-emails-venomous-helper-phishing\/ Publish Date: 2026-05-05 10:00:00 Source Domain: www.infosecurity-magazine.com&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240108,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/1046f6e5-2a73-40c6-b83c-231b1a153dc9.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,25],"class_list":["post-240107","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240107"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240107"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240107\/revisions"}],"predecessor-version":[{"id":240109,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240107\/revisions\/240109"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240108"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}