SOC Prime Bias: Medium

06 May 2026 11:31 UTC

VENOMOUS#HELPER: Dual-RMM Phishing Campaign Uses JWrapper-Packed SimpleHelp and ScreenConnect for Silent Remote Access

Author Photo
SOC Prime Team linkedin icon Follow
VENOMOUS#HELPER: Dual-RMM Phishing Campaign Uses JWrapper-Packed SimpleHelp and ScreenConnect for Silent Remote Access
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A phishing campaign has been using a compromised Mexican website to distribute a JWrapper-packed executable that installs the legitimate remote management tools SimpleHelp and ScreenConnect. Although both binaries are signed and normally trusted, the attackers abuse them to gain persistent, silent remote access through Windows services and Safe Mode registry modifications. Since April 2025, the activity has impacted more than 80 organizations across the United States, Western Europe, and Latin America. While attribution remains unclear, the campaign appears to be financially motivated.

Investigation

Securonix conducted dynamic analysis of the delivered payload and uncovered a dual-channel remote access setup built around SimpleHelp 5.0.1 and ConnectWise ScreenConnect. The malware installs itself as a Windows service, creates a SafeBoot registry entry to survive reboots into Safe Mode, and uses repeated polling loops to identify installed security products and determine whether a user is present on the machine. Investigators also found that a renamed wmic.exe.bak binary was used as part of the execution chain to help bypass name-based detections.

Mitigation

Security teams should monitor for creation of the Remote Access Service Windows service, the associated SafeBoot registry entry, and the appearance of wmic.exe.bak inside the System32\wbem directory. Network defenses should block outbound UDP traffic to 84.200.205.233:5555 and TCP traffic to sslzeromail.run.place:8041. Defenders should also remove the malicious service and related files while hunting for renamed utilities and other artifacts linked to the intrusion.

Response

If this activity is detected, isolate the affected system immediately, stop and remove the malicious service, delete the SafeBoot registry entry, and remove the JWrapper installation directory from the host. Investigators should then perform forensic analysis to determine whether lateral movement occurred and update detection logic to capture the specific process chains and command patterns seen in the campaign. Relevant stakeholders should be informed, and broader threat hunting should be considered to identify additional victims.

Attack Flow

Detections

SimpleHelp Agent Executed from JWrapper Remote Access Directory (via process_creation)

SOC Prime Team
05 May 2026

Possible Antivirus or Firewall Software Enumeration (via process_creation)

SOC Prime Team
05 May 2026

Alternative Remote Access / Management Software (via process_creation)

SOC Prime Team
05 May 2026

Possible Simple Help RMM Usage Attempt (via file_event)

SOC Prime Team
05 May 2026

IOCs (HashSha512) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

SOC Prime AI Rules
05 May 2026

IOCs (HashSha256) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

SOC Prime AI Rules
05 May 2026

IOCs (HashMd5) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

SOC Prime AI Rules
05 May 2026

IOCs (SourceIP) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

SOC Prime AI Rules
05 May 2026

IOCs (DestinationIP) to detect: VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access

SOC Prime AI Rules
05 May 2026

Monitoring for Potential RAT Activity by Renamed wmic.exe and WiFi Interface Commands [Windows Sysmon]

SOC Prime AI Rules
05 May 2026

Detection of Dual-RMM Phishing Campaign Using SimpleHelp and ScreenConnect [Windows Process Creation]

SOC Prime AI Rules
05 May 2026

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    The attacker receives a phishing attachment (T1566.001) that drops a malicious payload named statement5648.exe into the %TEMP% directory. To evade detection, the file is signed with a valid certificate (obfuscated code – T1027) and is executed as a Windows service (T1543.003) to persist. Because the executable name matches one of the rule’s suffixes, Sysmon records an EventID 1 with Image ending in statement5648.exe, which should fire the detection rule. The attacker also disables antivirus (T1562.009) and attempts UAC bypass (T1548.002) to gain elevated privileges.

  • Regression Test Script:

    #------------------------------------------------------------
    # Dual‑RMM Phishing Campaign Simulation – triggers Sigma rule
    #------------------------------------------------------------
    $payloadPath = "$env:TEMPstatement5648.exe"
    $serviceName = "DualRMMHelper"
    
    # 1. Drop a dummy executable (copy of notepad.exe) and rename
    Write-Host "[*] Dropping masqueraded payload to $payloadPath"
    Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $payloadPath -Force
    
    # 2. Create a Windows service that runs the payload (persistence)
    Write-Host "[*] Installing service $serviceName"
    sc.exe create $serviceName binPath= "`"$payloadPath`"" start= auto > $null
    
    # 3. Start the service – this generates Sysmon ProcessCreate event
    Write-Host "[*] Starting service $serviceName"
    sc.exe start $serviceName > $null
    
    # 4. OPTIONAL: Simulate UAC bypass / token impersonation (no‑op placeholder)
    #    In a real red‑team run, this would involve Invoke-BypassUAC or similar.
    Write-Host "[*] Simulation complete – check SIEM for detection."
    #------------------------------------------------------------
  • Cleanup Commands:

    #------------------------------------------------------------
    # Cleanup for Dual‑RMM simulation
    #------------------------------------------------------------
    $serviceName = "DualRMMHelper"
    $payloadPath = "$env:TEMPstatement5648.exe"
    
    # Stop and delete the service
    sc.exe stop $serviceName > $null
    sc.exe delete $serviceName > $null
    
    # Remove the bogus executable
    Remove-Item -Path $payloadPath -Force
    
    Write-Host "[*] Cleanup complete."
    #------------------------------------------------------------