VENOMOUS#HELPER is an active phishing campaign that has compromised more than 80 organizations across the United States, Western Europe, and Latin America by deploying SimpleHelp and ScreenConnect (ConnectWise Control) as persistent backdoors. The attackers impersonate the U.S. Social Security Administration (SSA) to lure employees into executing signed RMM (Remote Monitoring and Management — software used by IT support teams for remote access and endpoint management) installers, which endpoint security products treat as trusted because both tools carry valid code-signing certificates from reputable certificate authorities.
This article provides a step-by-step detection checklist, working KQL (Kusto Query Language — the query language used by Microsoft Defender for Endpoint and Microsoft Sentinel) detection queries, a PowerShell endpoint scanner, and a Group Policy configuration for allowlisting approved RMM tools — everything a SOC analyst needs to detect and contain this campaign today.
VENOMOUS#HELPER: Campaign Overview and Why RMM Abuse Works
The VENOMOUS#HELPER campaign (also tracked as STAC6405 by Sophos and Red Canary) was documented by Securonix Threat Labs and has been active since at least April 2025. The campaign maps to MITRE ATT&CK T1219 (Remote Access Software) combined with T1566.002 (Phishing: Spearphishing Link — delivering a malicious URL via email rather than a file attachment).
The technique exploits a structural blind spot in most enterprise defenses: RMM tools are not malware. SimpleHelp is used by tens of thousands of IT support teams globally. ScreenConnect (ConnectWise Control) is deployed in Fortune 500 environments. When an EDR (Endpoint Detection and Response — security software that monitors endpoints for malicious behaviour) product sees either tool launch, it has no inherent reason to raise an alert — which is precisely why attackers use them.
Both installers in this campaign carry valid digital signatures. The SimpleHelp binary was signed with a Thawte certificate issued to SimpleHelp Ltd, which means Windows SmartScreen (Microsoft's browser-level reputation filter) displays a "verified publisher" prompt instead of an untrusted-software warning. Mark-of-the-Web (MotW) protections — the browser-enforced warnings that flag executables downloaded from the internet — are suppressed by the valid code signature.
After obtaining initial access, VENOMOUS#HELPER installs both SimpleHelp and ScreenConnect simultaneously, creating redundant persistent access channels. If defenders detect and remove SimpleHelp, ScreenConnect survives — and vice versa. This dual-channel design is the campaign's most operationally significant characteristic.
Attack Chain: From Phishing Email to Persistent Backdoor
Understanding the full kill chain helps identify the earliest detection checkpoints.
Stage 1 — Phishing delivery (T1566.002): The victim receives an email impersonating the U.S. Social Security Administration, instructing them to "verify their address and download their statement." The link points to a compromised Mexican business website (gruta[.]com.mx), from which the payload is served — hosted at server.cubatiendaalimentos[.]com.mx/~tiendazoycom/sns/.
Stage 2 — Installer execution (T1036 — Masquerading): The downloaded executable is a JWrapper-packaged SimpleHelp 5.0.1 installer. It presents as a signed, legitimate application. The service it creates is registered as "Remote Access Service" — a name chosen to blend in with genuine Windows networking services.
Stage 3 — Privilege escalation (T1543.003 — Create or Modify System Process: Windows Service): The installer drops elev_win.exe, SimpleHelp's privilege escalation helper, which runs the service under SYSTEM-level privileges and acquires SeDebugPrivilege — the Windows privilege that allows a process to read and write the memory of any other process on the system.
Stage 4 — Redundant access (T1219): ScreenConnect is installed alongside SimpleHelp, connecting outbound to a relay server at sslzeromail[.]run.place. Two independent C2 (Command and Control) channels are now active: 84.200.205[.]233:5555 (SimpleHelp) and 213.136.71.246:8041 (ScreenConnect relay).
Stage 5 — Safe Mode persistence (T1547.001 + T1112): The service is registered under HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service, which causes the backdoor to survive reboots into Safe Mode with Networking — a technique that defeats many EDR products that do not load their drivers in Safe Mode.
Stage 6 — Anti-analysis evasion (T1562 — Impair Defenses): The implant polls mouse position every 23 seconds, checks WiFi interfaces every 15 seconds, and enumerates installed security products via WMI (Windows Management Instrumentation — a Windows framework for querying system configuration) every 67 seconds. These intervals are calibrated to stay below behavioral-analytics thresholds tuned for faster polling patterns.
VENOMOUS#HELPER RMM Detection: Step-by-Step Checklist
Sysmon Process Creation Events (Event ID 1)
Sysmon (System Monitor — a free Microsoft Sysinternals tool that logs detailed process, network, and file system events to the Windows Event Log) is the primary telemetry source for this detection. If Sysmon is not already deployed, start there.
- Suspicious RMM installer spawned from user directories: Watch for
SimpleHelp.exe,ScreenConnect.exe, orConnectWise*.exespawned from%USERPROFILE%\Downloads\,%TEMP%\, or a browser process (chrome.exe,msedge.exe,firefox.exe).
elev_win.exeexecution: SimpleHelp's privilege escalation helper has no legitimate reason to run outside of an IT-sanctioned deployment. Any execution not correlated with an approved change ticket warrants immediate investigation.
wmic.exe.bakexecution: The campaign renames the Windows Management Instrumentation CLI (wmic.exe) towmic.exe.bakand then executes it. A renamed system binary executing is a high-confidence indicator of T1036 (Masquerading). Monitor for any.exe.bakfile being created and subsequently executed.
- "Remote Access Service" service creation (Windows Event ID 7045): Service creation events are logged in the System event log. Query for services named "Remote Access Service" whose binary path does not match
%SystemRoot%\System32\svchost.exeor other known legitimate paths.
- Registry write to SafeBoot key (Sysmon Event ID 13): Any write to
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\that adds an entry not in your baseline is suspicious. Legitimate additions to this key are rare outside of antivirus product installers.
Windows Event Log Quick Checks
# Check for the "Remote Access Service" service being installed (System log Event 7045)
Get-WinEvent -LogName System | Where-Object {
$_.Id -eq 7045 -and $_.Message -like '*Remote Access Service*'
} | Select-Object TimeCreated, Message
# Enumerate non-standard SafeBoot\Network entries
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" |
Get-Member -MemberType NoteProperty |
Where-Object { $_.Name -notmatch 'vss|vmware|defender|mssafe|\{.*\}|PSPath|PSParent' } |
Select-Object Name
VENOMOUS#HELPER RMM Detection: Microsoft Defender for Endpoint KQL Queries
Deploy these queries as scheduled hunts in the Microsoft Defender portal (security.microsoft.com → Hunting → Advanced Hunting) or as analytics rules in Microsoft Sentinel.
Query 1 — RMM installer launched from user/temp directories (T1219 + T1566):
DeviceProcessEvents
| where FileName in~ ("SimpleHelpClient.exe", "ScreenConnect.exe",
"elev_win.exe", "ConnectWiseControl.exe")
| where FolderPath has_any (@"Downloads", @"Temp", @"\AppData\", @"\Users\")
| project Timestamp, DeviceName, AccountName, FileName,
FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
Query 2 — Renamed system utility execution (wmic.exe.bak):
DeviceProcessEvents
| where FileName endswith ".bak"
| where ProcessCommandLine has_any ("wmic", "wbem", "select", "Win32_")
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
Query 3 — SafeBoot registry modifications (T1547.001 + T1112):
DeviceRegistryEvents
| where RegistryKey contains @"SafeBoot\Network"
| where ActionType == "RegistryValueSet"
| where RegistryValueName !in~ (
"RpcEptMapper", "DHCP", "DNS", "EventLog",
"NetBT", "Nsi", "nsiproxy", "tdx", "WfpLwf", "WinSock2"
)
| project Timestamp, DeviceName, AccountName,
RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc
Query 4 — "Remote Access Service" installation event:
DeviceEvents
| where ActionType == "ServiceInstalled"
| where AdditionalFields has "Remote Access Service"
| project Timestamp, DeviceName, AccountName, AdditionalFields
| order by Timestamp desc
Query 5 — Network connections to confirmed VENOMOUS#HELPER C2 infrastructure:
DeviceNetworkEvents
| where RemoteIP in ("84.200.205.233", "213.136.71.246")
or RemoteUrl has_any (
"sslzeromail.run.place",
"gruta.com.mx",
"cubatiendaalimentos.com.mx"
)
| project Timestamp, DeviceName, RemoteIP, RemoteUrl,
RemotePort, InitiatingProcessFileName
| order by Timestamp desc
PowerShell: Scan Endpoints for Unauthorized RMM Installations
Run this script locally or push it via a management platform (SCCM, Intune, or PDQ Deploy) to audit RMM tools installed across the fleet. Update $ApprovedRMM to match your organization's sanctioned toolset.
# VENOMOUS#HELPER RMM Audit Script
# Run with local admin or via remote deployment
$ApprovedRMM = @(
# List your organization's approved RMM tools here
# Example: "TeamViewer", "Splashtop Business"
)
$RMMKeywords = @(
"SimpleHelp", "ScreenConnect", "ConnectWise Control",
"AnyDesk", "RemotePC", "LogMeIn", "GoToMyPC",
"VNC", "NinjaRMM", "Atera", "Dameware", "Kaseya",
"BeyondTrust", "Zoho Assist", "ISL Online"
)
$Installed = Get-ItemProperty `
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
"HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" `
-ErrorAction SilentlyContinue |
Select-Object DisplayName, Publisher, InstallDate, InstallLocation
Write-Host "`n=== RMM Audit: $env:COMPUTERNAME ===" -ForegroundColor Cyan
foreach ($keyword in $RMMKeywords) {
$found = $Installed | Where-Object { $_.DisplayName -like "*$keyword*" }
foreach ($item in $found) {
$approved = $ApprovedRMM | Where-Object { $item.DisplayName -like "*$_*" }
$status = if ($approved) { "[APPROVED]" } else { "[REVIEW REQUIRED]" }
$color = if ($approved) { "Green" } else { "Red" }
Write-Host "$status $($item.DisplayName) (Installed: $($item.InstallDate))" `
-ForegroundColor $color
}
}
# VENOMOUS#HELPER-specific: check for the "Remote Access Service" Windows service
$ras = Get-Service -ErrorAction SilentlyContinue |
Where-Object { $_.DisplayName -eq "Remote Access Service" }
if ($ras) {
Write-Host "`n[CRITICAL] 'Remote Access Service' found — matches VENOMOUS#HELPER IOC" `
-ForegroundColor Red
$ras | Select-Object Name, DisplayName, Status, StartType
}
Group Policy: Allowlisting Approved RMM Tools
The most durable long-term control is preventing unapproved RMM tools from executing in the first place, rather than relying solely on detection after the fact.
Option A — AppLocker (Windows 10/11 Enterprise and Education):
AppLocker is a Windows built-in application control feature configured through Group Policy.
- Open Group Policy Management Console and create or edit a GPO linked to your workstation OUs.
- Navigate to
Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies → AppLocker. - Under Executable Rules, create a default-deny rule: block any executable not in
%PROGRAMFILES%,%PROGRAMFILES(x86)%, or%WINDIR%. This stops drive-by installs that land in%TEMP%or%APPDATA%from executing. - Add explicit publisher-based allow rules for each sanctioned RMM tool (e.g., publisher:
O=CONNECTWISE LLC, L=TAMPA, S=FLORIDA, C=USfor ConnectWise products). - Enable the Application Identity service (
AppIDSvc) on all endpoints — AppLocker enforcement requires it to be running.
Option B — Windows Firewall GPO (block known campaign C2):
For immediate tactical containment, push firewall rules to block outbound connections to the confirmed VENOMOUS#HELPER infrastructure:
# Deploy via GPO startup script or Intune remediation script
New-NetFirewallRule `
-DisplayName "Block VENOMOUS#HELPER SimpleHelp C2" `
-Direction Outbound -Protocol TCP `
-RemoteAddress "84.200.205.233" `
-Action Block -Profile Domain,Private
New-NetFirewallRule `
-DisplayName "Block VENOMOUS#HELPER ScreenConnect Relay" `
-Direction Outbound -Protocol TCP `
-RemoteAddress "213.136.71.246" `
-Action Block -Profile Domain,Private
Option C — DNS/proxy blocking:
Block the following domains at your enterprise DNS resolver or web proxy:
gruta.com.mxsslzeromail.run.placecubatiendaalimentos.com.mx
VENOMOUS#HELPER Indicators of Compromise
| Type | Indicator | Context | |——|———–|———| | Domain | gruta[.]com.mx | Phishing lure / payload download (compromised legitimate site) | | Domain | sslzeromail[.]run.place | ScreenConnect C2 relay | | Domain | server.cubatiendaalimentos[.]com.mx | Payload hosting path: /~tiendazoycom/sns/ | | IP | 84.200.205[.]233 port 5555 | SimpleHelp 5.0.1 C2 server | | IP | 213.136.71.246 port 8041 | ScreenConnect relay endpoint | | File path | C:\Windows\System32\wbem\wmic.exe.bak | Renamed WMIC — high-confidence host IOC | | Registry key | HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service | Safe Mode persistence key | | Service name | Remote Access Service | SimpleHelp service installed by the implant | | Process | elev_win.exe | SimpleHelp privilege escalation helper |
Bracket the dots in domains and IPs when pasting into threat intel platforms to prevent accidental resolution.
Incident Response: If You Detect the Implant
- Isolate the endpoint immediately. Both SimpleHelp and ScreenConnect provide full interactive access to the attacker — assume the machine is completely compromised and treat it as hostile.
- Stop and disable the service:
- Remove the SafeBoot persistence key:
- Uninstall the ScreenConnect client via
Control Panel → Programs → ConnectWise Control Client → Uninstall, or silently via: - Hunt for lateral movement: Review Windows authentication logs — Event ID 4624 (successful logon), 4648 (explicit credential logon), and 4776 (NTLM credential validation) — for authentications originating from the compromised host in the 24–72 hours following initial compromise.
- Preserve evidence before reimaging: capture a memory image with WinPmem and export Security and System event logs. These are critical for determining the full scope of attacker activity.
- Conduct a fleet-wide hunt using the KQL queries in the previous section across all enrolled endpoints.
“powershell sc.exe stop "Remote Access Service" sc.exe config "Remote Access Service" start= disabled “
“powershell reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service" /f “
“powershell $app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "ScreenConnect" } $app.Uninstall() “
Conclusion
VENOMOUS#HELPER demonstrates why RMM tools remain one of the most effective persistent-access mechanisms for attackers: they carry valid code signatures, are expected on managed corporate networks, and are functionally invisible to signature-based antivirus. The defenses that matter are behavioral — process lineage monitoring, SafeBoot registry alerting, service creation detection, and an enforced allowlist that prevents unapproved RMM installers from executing at all.
Deploy the KQL queries above in Microsoft Defender for Endpoint as scheduled advanced hunting queries, run the PowerShell scanner across your fleet today, and implement an AppLocker policy that gates RMM execution against an explicit approved-publisher list. If you are already running SimpleHelp in your environment, review our hardening guide for the product's own vulnerability surface.
See our SimpleHelp CVE-2024-57727 detection and patch checklist for patch verification steps and hardening guidance specific to SimpleHelp's path traversal flaw, and our SimpleHelp RMM ransomware exploitation analysis for context on how threat actors chain SimpleHelp access into full ransomware deployment.
For any query contact us at contact@cipherssecurity.com
