An active phishing campaign has been observed since at least April 2025 targeting multiple vectors, including as a way to establish persistent remote access to compromised hosts with legitimate Remote Monitoring and Management (RMM) software.
activity, codename poisonous#helpfulAccording to Securionics, more than 80 organizations have been affected, the majority of which are in the US. It shares overlap with clusters previously tracked by Red Canary and Sophos, the latter of which has nicknamed it STAC6405. While it is unclear who is behind the campaign, the cybersecurity company said it is aligned with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation.
“In this case, a customized SimpleHelp and ScreenConnect RMM is used to bypass the protections because they are legitimately installed by the unsuspecting victim,” researchers Akshay Gaikwad, Shikha Sangwan and Aaron Beardsley said in a report shared with The Hacker News.
Putting aside the fact that use of legitimate RMM tools can avoid detection, the deployment of both SimpleHelp and ScreenConnect indicates an effort to create a “redundant dual-channel access architecture” that enables continued operation even if one of them is detected and blocked.
It all starts with a phishing email impersonating the US Social Security Administration (SSA), where the recipient is instructed to verify their email address and download a purported SSA statement by clicking on a link embedded in the message. This link points to a legitimate-but-compromised Mexican business website (“gruta.com”)[.]MX”), indicating a deliberate strategy to evade email spam filters.
The “SSA statement” is then downloaded from another attacker-controlled domain (“server.cupatiendaalimentos.com”)[.]MX”), an executable that is responsible for distributing the SimpleHelp RMM tool. It is believed that the attacker gained access to a single cPanel user account on a legitimate hosting server to stage the binary.
As soon as the victim opens the JWrapper-packaged Windows executable, thinking it is a document, the malware installs itself as a Windows service with safe mode persistence, ensures it is running via a “self-healing watchdog” that automatically restarts it when killed, and periodically enumerates security products registered using the root\SecurityCenter2 WMI namespace every 67 seconds. Is, and surveys the user’s presence every 23 seconds.
To facilitate fully interactive desktop access, the SimpleHelp remote access client obtains SeDebugPrivilege via AdjustTokenPrivileges, while “elev_win.exe” – a legitimate executable file associated with the software – is used to gain system-level privileges. This, in turn, allows the operator to read the screen, inject keystrokes, and access user-referenced resources.
This advanced remote access is exploited to download and install ConnectWise ScreenConnect, offering a fallback communication mechanism if the SimpleHelp channel is removed.
“The deployed SimpleHelp version (5.0.1) provides a comprehensive remote administration capability set,” the researchers said. “The victim organization is left in a position where the attacker can return at any time, silently execute commands in the user’s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software from a reputable UK vendor.”
