An active phishing campaign dubbed VENOMOUS#HELPER has been targeting multiple vectors since at least April 2025, using legitimate Remote Monitoring and Management tools to establish persistent remote access. The operation delivers a JWrapper-packaged executable that installs SimpleHelp as a service, elevates privileges for full desktop control, and stages ConnectWise ScreenConnect as a redundant fallback, impacting over 80 organizations primarily in the U.S. #VENOMOUS_HELPER #SimpleHelp
Keypoints
- The campaign uses SSA-themed phishing emails to trick victims into downloading a malicious βstatement.β
- An attacker-controlled domain stages a JWrapper-packaged executable that delivers SimpleHelp RMM.
- The malware installs as a Windows service with Safe Mode persistence and a self-healing watchdog.
- Operators obtain SYSTEM-level access via SeDebugPrivilege and elev_win.exe to enable full remote control.
- ConnectWise ScreenConnect is deployed as a fallback, creating a redundant dual-channel access architecture across 80+ affected organizations.
Read More: https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html