VENOMOUS#HELPER Phishing Campaign Abuses SimpleHelp and ScreenConnect for Stealthy Access
A phishing campaign tracked as VENOMOUS#HELPER has compromised more than 80 organizations since at least April 2025, primarily in the United States, with additional victims in Western Europe and Latin America. Attackers used emails impersonating the U.S. Social Security Administration to drive targets to fake SSA pages hosted via compromised legitimate websites, including a Mexican domain used to help evade filtering. Victims who downloaded the fake SSA statement executable installed vendor-signed remote monitoring and management tools instead of conventional malware, giving the operators covert access through SimpleHelp and ConnectWise ScreenConnect.
Researchers said the malware chain deployed a self-hosted SimpleHelp 5.0.1 instance packaged with JWrapper and a separate ScreenConnect relay, creating redundant remote access if one channel was blocked. The installed tooling persisted as a Windows service, survived Safe Mode, polled for Wi-Fi status, firewall state, security products, user activity, and mouse movement, and in some cases renamed wmic.exe to evade name-based detections. Separate infrastructure analysis linked a signed SimpleHelp client to a five-server command-and-control cluster on 147.45.218.0/24, a Russian-language portal at dangerstock[.]online, and an exposed Cockpit dashboard, with Fortinet tracking the infrastructure as PALLASNET.M; Securonix assessed the broader activity as consistent with a financially motivated initial access broker or ransomware precursor.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Media reports amplify Securonix findings on 80+ victim campaign
On May 4, 2026, Dark Reading and The Hacker News reported Securonix's findings that VENOMOUS#HELPER had targeted more than 80 organizations using SimpleHelp and ScreenConnect. These reports did not introduce a separate incident but broadened public reporting on the campaign and its likely financially motivated initial-access or ransomware-linked nature.
Securonix publishes VENOMOUS#HELPER campaign analysis
On April 26, 2026, Securonix published research detailing the VENOMOUS#HELPER phishing campaign's use of dual legitimate RMM tools, SimpleHelp and ScreenConnect, for stealthy persistence and redundant remote access. The report described compromised websites, a fake SSA statement executable, host surveillance behavior, and evasion techniques such as renaming wmic.exe.
Four PALLASNET servers still expose SimpleHelp portals
At the time of Breakglass publication, four of the five identified servers were still serving SimpleHelp customer download portals, while the primary 147.45.218.66 server had been hardened to agent-only behavior. Researchers also observed ScreenConnect used alongside SimpleHelp, indicating a dual-RAT persistence strategy.
Breakglass maps five-server PALLASNET SimpleHelp cluster
On April 20, 2026, Breakglass published analysis connecting a signed SimpleHelp client sample to a five-server command-and-control cluster on 147.45.218.0/24 and a Russian-language portal at dangerstock[.]online. The report also noted a stolen Google Analytics certificate, an exposed Cockpit dashboard, and Fortinet tracking the infrastructure as PALLASNET.M.
Fresh malware samples tied to PALLASNET appear
Breakglass said new malware samples linked to the PALLASNET infrastructure were still appearing in April 2026, indicating the operation remained active. The analyzed sample was a legitimately signed SimpleHelp Remote Access Client configured to call back to 147.45.218.66:443.
SimpleHelp deployments observed on PALLASNET-linked servers
Breakglass observed SimpleHelp deployments on the PALLASNET-associated infrastructure beginning in September 2025. The cluster ultimately included five servers, with several exposing SimpleHelp customer download portals.
PALLASNET infrastructure subnet is allocated
Breakglass reported that the 147.45.218.0/24 subnet tied to the PALLASNET cluster was allocated in August 2025. Researchers later linked this network to a five-server command-and-control cluster supporting SimpleHelp and ScreenConnect-based remote access operations.
VENOMOUS#HELPER phishing campaign begins targeting organizations
Securonix said the VENOMOUS#HELPER campaign has been active since at least April 2025, using phishing emails and fake U.S. Social Security Administration-themed pages to trick victims into downloading a malicious executable. The activity has affected more than 80 organizations, primarily in the United States, with additional victims in Western Europe and Latin America.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
thehackernews.com
Open sourceRMM Tools Fuel Stealthy Phishing Campaign
darkreading.com
Open sourceVENOMOUS#HELPER: Dual RMM Phishing Campaign Using SimpleHelp and ScreenConnect
securonix.com
Open sourceFrom One Signed Binary to a 5-Server Russian RAT Farm: Mapping the PALLASNET SimpleHelp Cluster, a Stolen Google Analytics Certificate, and an Exposed Cockpit Dashboard - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026
Invitation-Themed Phishing Installs Legitimate RMM Tools for Persistent Access
Sophos X-Ops reported that a phishing campaign tracked as **STAC6405** used invitation-themed lures to trick targets into installing legitimate remote monitoring and management tools, including **LogMeIn Resolve** and **ScreenConnect**, giving attackers unattended remote access. The activity was first observed in April 2025, peaked in October and November 2025, and affected more than 80 organizations, primarily in the United States. Sophos said some phishing links were still active at the time of reporting, indicating the campaign may still be ongoing. In most intrusions, the attackers stopped after establishing remote access, suggesting the operation may support initial access brokerage or maintain dormant persistence for later use. In two cases, however, the compromise advanced to second-stage activity: one intrusion deployed a **HeartCrypt**-packed infostealer that hid the mouse cursor, injected into `csc.exe`, contacted `45[.]56.162.138`, and stole browser, wallet, and system data; another used a ScreenConnect-based payload bundled with Java components and a likely **SimpleHelp**-related remote access binary to obtain interactive access before defenders contained the incident.
May 24, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026