VENOMOUS#HELPER: Dual-RMM Phishing Campaign Uses JWrapper-Packed SimpleHelp and ScreenConnect for Silent Remote Access
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing campaign has been using a compromised Mexican website to distribute a JWrapper-packed executable that installs the legitimate remote management tools SimpleHelp and ScreenConnect. Although both binaries are signed and normally trusted, the attackers abuse them to gain persistent, silent remote access through Windows services and Safe Mode registry modifications. Since April 2025, the activity has impacted more than 80 organizations across the United States, Western Europe, and Latin America. While attribution remains unclear, the campaign appears to be financially motivated.
Investigation
Securonix conducted dynamic analysis of the delivered payload and uncovered a dual-channel remote access setup built around SimpleHelp 5.0.1 and ConnectWise ScreenConnect. The malware installs itself as a Windows service, creates a SafeBoot registry entry to survive reboots into Safe Mode, and uses repeated polling loops to identify installed security products and determine whether a user is present on the machine. Investigators also found that a renamed wmic.exe.bak binary was used as part of the execution chain to help bypass name-based detections.
Mitigation
Security teams should monitor for creation of the Remote Access Service Windows service, the associated SafeBoot registry entry, and the appearance of wmic.exe.bak inside the System32\wbem directory. Network defenses should block outbound UDP traffic to 84.200.205.233:5555 and TCP traffic to sslzeromail.run.place:8041. Defenders should also remove the malicious service and related files while hunting for renamed utilities and other artifacts linked to the intrusion.
Response
If this activity is detected, isolate the affected system immediately, stop and remove the malicious service, delete the SafeBoot registry entry, and remove the JWrapper installation directory from the host. Investigators should then perform forensic analysis to determine whether lateral movement occurred and update detection logic to capture the specific process chains and command patterns seen in the campaign. Relevant stakeholders should be informed, and broader threat hunting should be considered to identify additional victims.
Attack Flow
Detections
SimpleHelp Agent Executed from JWrapper Remote Access Directory (via process_creation)
View
Possible Antivirus or Firewall Software Enumeration (via process_creation)
View
Alternative Remote Access / Management Software (via process_creation)
View
Possible Simple Help RMM Usage Attempt (via file_event)
View
IOCs (HashSha512) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (HashSha256) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (HashMd5) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (SourceIP) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
IOCs (DestinationIP) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
View
Monitoring for Potential RAT Activity by Renamed wmic.exe and WiFi Interface Commands [Windows Sysmon]
View
Detection of Dual-RMM Phishing Campaign Using SimpleHelp and ScreenConnect [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker receives a phishing attachment (T1566.001) that drops a malicious payload named
statement5648.exeinto the%TEMP%directory. To evade detection, the file is signed with a valid certificate (obfuscated code – T1027) and is executed as a Windows service (T1543.003) to persist. Because the executable name matches one of the rule’s suffixes, Sysmon records an EventID 1 withImageending instatement5648.exe, which should fire the detection rule. The attacker also disables antivirus (T1562.009) and attempts UAC bypass (T1548.002) to gain elevated privileges. -
Regression Test Script:
#------------------------------------------------------------ # Dual‑RMM Phishing Campaign Simulation – triggers Sigma rule #------------------------------------------------------------ $payloadPath = "$env:TEMPstatement5648.exe" $serviceName = "DualRMMHelper" # 1. Drop a dummy executable (copy of notepad.exe) and rename Write-Host "[*] Dropping masqueraded payload to $payloadPath" Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $payloadPath -Force # 2. Create a Windows service that runs the payload (persistence) Write-Host "[*] Installing service $serviceName" sc.exe create $serviceName binPath= "`"$payloadPath`"" start= auto > $null # 3. Start the service – this generates Sysmon ProcessCreate event Write-Host "[*] Starting service $serviceName" sc.exe start $serviceName > $null # 4. OPTIONAL: Simulate UAC bypass / token impersonation (no‑op placeholder) # In a real red‑team run, this would involve Invoke-BypassUAC or similar. Write-Host "[*] Simulation complete – check SIEM for detection." #------------------------------------------------------------ -
Cleanup Commands:
#------------------------------------------------------------ # Cleanup for Dual‑RMM simulation #------------------------------------------------------------ $serviceName = "DualRMMHelper" $payloadPath = "$env:TEMPstatement5648.exe" # Stop and delete the service sc.exe stop $serviceName > $null sc.exe delete $serviceName > $null # Remove the bogus executable Remove-Item -Path $payloadPath -Force Write-Host "[*] Cleanup complete." #------------------------------------------------------------