Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing campaign has been using a compromised Mexican website to distribute a JWrapper-packed executable that installs the legitimate remote management tools SimpleHelp and ScreenConnect. Although both binaries are signed and normally trusted, the attackers abuse them to gain persistent, silent remote access through Windows services and Safe Mode registry modifications. Since April 2025, the activity has impacted more than 80 organizations across the United States, Western Europe, and Latin America. While attribution remains unclear, the campaign appears to be financially motivated.
Investigation
Securonix conducted dynamic analysis of the delivered payload and uncovered a dual-channel remote access setup built around SimpleHelp 5.0.1 and ConnectWise ScreenConnect. The malware installs itself as a Windows service, creates a SafeBoot registry entry to survive reboots into Safe Mode, and uses repeated polling loops to identify installed security products and determine whether a user is present on the machine. Investigators also found that a renamed wmic.exe.bak binary was used as part of the execution chain to help bypass name-based detections.
Mitigation
Security teams should monitor for creation of the Remote Access Service Windows service, the associated SafeBoot registry entry, and the appearance of wmic.exe.bak inside the System32\wbem directory. Network defenses should block outbound UDP traffic to 84.200.205.233:5555 and TCP traffic to sslzeromail.run.place:8041. Defenders should also remove the malicious service and related files while hunting for renamed utilities and other artifacts linked to the intrusion.
Response
If this activity is detected, isolate the affected system immediately, stop and remove the malicious service, delete the SafeBoot registry entry, and remove the JWrapper installation directory from the host. Investigators should then perform forensic analysis to determine whether lateral movement occurred and update detection logic to capture the specific process chains and command patterns seen in the campaign. Relevant stakeholders should be informed, and broader threat hunting should be considered to identify additional victims.
graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#a2d5ab classDef process fill:#ffcc99 classDef service fill:#ffb3b3 classDef c2 fill:#d9b3ff %% Nodes action_impersonation[“<b>Action</b> – <b>T1656 Impersonation</b><br/>Email spoofing of US SSA to lure victims”] class action_impersonation action action_phishing[“<b>Action</b> – <b>T1566.001 Phishing</b><br/>Spearphishing attachment with link to compromised Mexican domains”] class action_phishing action action_infra[“<b>Action</b> – <b>T1584.001 Compromise Infrastructure</b><br/>Compromise legitimate .com.mx sites to host landing page and payload”] class action_infra action action_execution[“<b>Action</b> – Execution<br/>Victim runs JWrapper‑packed statement5648.exe which extracts config, drops private JRE and launches Java payload”] class action_execution action action_uac[“<b>Action</b> – <b>T1548.002 Bypass UAC</b><br/>UAC prompt shows trusted SimpleHelp publisher allowing install”] class action_uac action action_service[“<b>Action</b> – <b>T1543.003 Create or Modify System Process</b><br/>Registers Windows service \”Remote Access Service\””] class action_service action action_safemode[“<b>Action</b> – <b>T1562.009 Safe Mode Boot</b><br/>Adds registry key under SafeBoot Network for service persistence”] class action_safemode action malware_simplehelp[“<b>Malware</b> – SimpleHelp 5.0.1 (cracked)<br/>Remote administration tool signed by SimpleHelp”] class malware_simplehelp malware malware_screenconnect[“<b>Malware</b> – ConnectWise ScreenConnect (cracked)<br/>Remote administration tool signed by ConnectWise”] class malware_screenconnect malware c2_simplehelp[“<b>C2</b> – UDP 84.200.205.233:5555<br/>Used by SimpleHelp for beaconing”] class c2_simplehelp c2 c2_screenconnect[“<b>C2</b> – TCP sslzeromail.run.place:8041<br/>Used by ScreenConnect relay”] class c2_screenconnect c2 tool_sessionwin[“<b>Tool</b> – session_win.exe<br/>Steals winlogon.exe token to spawn processes in user session”] class tool_sessionwin tool tool_elevwin[“<b>Tool</b> – elev_win.exe<br/>Creates processes with CreateProcessAsUserW using stolen token”] class tool_elevwin tool process_netsh[“<b>Process</b> – netsh wlan show interfaces<br/>Runs every ~15 s to discover network configuration”] class process_netsh process process_wmic[“<b>Process</b> – wmic.exe.bak query SecurityCenter2<br/>Runs every ~67 s to discover AV/Firewall products”] class process_wmic process action_masquerade[“<b>Action</b> – <b>T1036.003 Masquerading</b><br/>Renames wmic.exe to wmic.exe.bak to hide utility”] class action_masquerade action action_dynamic[“<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>Collects interface info to adapt C2 endpoints”] class action_dynamic action %% Flow Connections action_impersonation –>|leads_to| action_phishing action_phishing –>|uses| action_infra action_infra –>|hosts| action_execution action_execution –>|triggers| action_uac action_uac –>|enables| action_service action_service –>|adds| action_safemode action_safemode –>|supports| malware_simplehelp malware_simplehelp –>|communicates with| c2_simplehelp malware_screenconnect –>|communicates with| c2_screenconnect malware_simplehelp –>|installs| tool_sessionwin malware_screenconnect –>|installs| tool_elevwin tool_sessionwin –>|performs| action_masquerade tool_elevwin –>|executes| process_netsh process_netsh –>|feeds| action_dynamic process_wmic –>|feeds| action_dynamic action_dynamic –>|informs| c2_screenconnect action_dynamic –>|informs| c2_simplehelp tool_sessionwin –>|performs| action_masquerade process_wmic –>|performs| action_masquerade %% Class Assignments class action_impersonation,action_phishing,action_infra,action_execution,action_uac,action_service,action_safemode,action_masquerade,action_dynamic action class malware_simplehelp,malware_screenconnect malware class c2_simplehelp,c2_screenconnect c2 class tool_sessionwin,tool_elevwin tool class process_netsh,process_wmic process
Attack Flow
Detections
SimpleHelp Agent Executed from JWrapper Remote Access Directory (via process_creation)
View
Possible Antivirus or Firewall Software Enumeration (via process_creation)
View
Alternative Remote Access / Management Software (via process_creation)
View
Possible Simple Help RMM Usage Attempt (via file_event)
View
IOCs (HashSha512) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (HashSha256) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (HashMd5) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (SourceIP) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (DestinationIP) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
Monitoring for Potential RAT Activity by Renamed wmic.exe and WiFi Interface Commands [Windows Sysmon]
View
Detection of Dual-RMM Phishing Campaign Using SimpleHelp and ScreenConnect [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker receives a phishing attachment (T1566.001) that drops a malicious payload named
statement5648.exeinto the%TEMP%directory. To evade detection, the file is signed with a valid certificate (obfuscated code – T1027) and is executed as a Windows service (T1543.003) to persist. Because the executable name matches one of the rule’s suffixes, Sysmon records an EventID 1 withImageending instatement5648.exe, which should fire the detection rule. The attacker also disables antivirus (T1562.009) and attempts UAC bypass (T1548.002) to gain elevated privileges. -
Regression Test Script:
#------------------------------------------------------------ # Dual‑RMM Phishing Campaign Simulation – triggers Sigma rule #------------------------------------------------------------ $payloadPath = "$env:TEMPstatement5648.exe" $serviceName = "DualRMMHelper" # 1. Drop a dummy executable (copy of notepad.exe) and rename Write-Host "[*] Dropping masqueraded payload to $payloadPath" Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $payloadPath -Force # 2. Create a Windows service that runs the payload (persistence) Write-Host "[*] Installing service $serviceName" sc.exe create $serviceName binPath= "`"$payloadPath`"" start= auto > $null # 3. Start the service – this generates Sysmon ProcessCreate event Write-Host "[*] Starting service $serviceName" sc.exe start $serviceName > $null # 4. OPTIONAL: Simulate UAC bypass / token impersonation (no‑op placeholder) # In a real red‑team run, this would involve Invoke-BypassUAC or similar. Write-Host "[*] Simulation complete – check SIEM for detection." #------------------------------------------------------------ -
Cleanup Commands:
#------------------------------------------------------------ # Cleanup for Dual‑RMM simulation #------------------------------------------------------------ $serviceName = "DualRMMHelper" $payloadPath = "$env:TEMPstatement5648.exe" # Stop and delete the service sc.exe stop $serviceName > $null sc.exe delete $serviceName > $null # Remove the bogus executable Remove-Item -Path $payloadPath -Force Write-Host "[*] Cleanup complete." #------------------------------------------------------------