Campaigns
VENOMOUS HELPER / STAC6405  Dual RMM Phishing Campaign Targeting 80+ Organisations

VENOMOUS HELPER / STAC6405 Dual RMM Phishing Campaign Targeting 80+ Organisations

VENOMOUS#HELPERSTAC6405ScreenConnectLogMeIn ResolveJWrapperdual-RMMphishingSSA impersonationPunchbowl lureEvite lureIRS lureRMM abuseInitial Access Brokerransomware precursorSafe Mode persistencewmic.exe.bakfinancially motivated
An active phishing campaign tracked by Securonix as VENOMOUS HELPER and overlapping with the Sophos cluster STAC6405 has been impersonating the U.S. Social Security Administration (SSA) and other lures - event invitations, tender invitations, and IRS forms - to deliver legitimate, vendor-signed Remote Monitoring and Management (RMM) software for silent persistent access. Securonix reports that more than 80 organisations have been impacted, predominantly in the United States, since at least April 2025.

Indicators of Compromise

delicate-dew.serveftp.com
exploit_siak_bahasa.py
systemd-update.service
exfil_docs_v2.sh

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

The following steps are recommended for organisations that suspect or confirm VENOMOUS#HELPER / STAC6405 activity:

  1. Identify and isolate hosts running 'Remote Access Service' (Windows service whose ImagePath points to C:\ProgramData\JWrapper-Remote Access\). Containment must include both network isolation and a hold on remote-access requests through legitimate IT channels until the host is confirmed clean.

  2. Stop and uninstall the service via SimpleService.exe -uninstall, then delete the C:\ProgramData\JWrapper-Remote Access\ directory tree. Remove the SafeBoot persistence key at HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service.

  3. Hunt for and remove the renamed wmic.exe.bak under C:\Windows\System32\wbem\. The presence of this file alone is a high-confidence indicator that the host was compromised by this campaign.

  4. Audit ScreenConnect installations under C:\Program Files (x86)\ScreenConnect Client*. Any client connecting to sslzeromail[.]run.place or 213.136.71.246 must be removed. Audit firewall rules added under names matching SHRemoteAccessServiceJE_* and SHRemoteAccessServiceSH_* and revert them with netsh.

  5. Reset all credentials that the user logged in with on the affected host. Because the SimpleHelp build provides full keyboard and clipboard access, treat any password, browser session token, or MFA seed used on the host during the compromise window as exposed.

  6. Search for any second-stage payload activity. Sophos observed the operator deploying a HeartCrypt-packed infostealer and an additional ScreenConnect relay in two cases. Hunt for 8776_6713.exe, HideMouse.exe, and outbound traffic to 45.56.162.138.

  7. Rebuild rather than clean if possible. Persistence depth and SYSTEM-level access make a clean reimage the safest recovery path for any host where operator hands-on-keyboard activity is confirmed.

  8. Block the campaign IOCs in this advisory at the email gateway, web proxy, NGFW, and DNS resolver. Submit the file hashes from the IoC section to your EDR for retroactive sweep across the estate.

DETECTIONS

Technique ID

Technique Name

Tactic

Detection Method

Log Sources

T1566.001

Phishing: Spearphishing Attachment

Initial Access

Inspect inbound email for links that resolve to .com.mx hosts serving Windows executables. Sandbox-detonate any JWrapper-packaged binary before delivery and pivot on attachment hashes shared in the IoC section.

Email gateway logs, sandbox detonation results, URL rewrite telemetry, EDR file-creation events from outlook.exe / browser processes

T1219

Remote Access Software

Command and Control

Alert on any new SimpleHelp or ScreenConnect installation appearing on a host that has no business reason to run an RMM agent. Specifically watch for service binaries in C:\ProgramData\JWrapper-Remote Access\ or C:\Program Files (x86)\ScreenConnect Client*.

Sysmon EID 1/11, Windows service installation events (EID 7045), EDR process-tree telemetry, programs inventory

T1543.003

Create or Modify System Process: Windows Service

Persistence

Detect creation of a Windows service whose display name is 'Remote Access Service' and whose ImagePath points outside Program Files. Trigger on SimpleService.exe being invoked with -install or -uninstall flags.

Windows EID 7045, Sysmon EID 1, Service Control Manager logs, registry write events under HKLM\SYSTEM\...\Services

T1562.009

Impair Defenses: Safe Mode Boot

Defense Evasion

Alert on any addition to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network. Treat the specific value 'Remote Access Service' as a high-confidence host indicator of this campaign.

Sysmon EID 13, Windows registry auditing, Windows Event Forwarding, EDR registry telemetry

T1134.001

Access Token Manipulation: Token Impersonation

Privilege Escalation

Detect non-Microsoft processes that open winlogon.exe with PROCESS_QUERY_INFORMATION + PROCESS_DUP_HANDLE access masks. Correlate with subsequent CreateProcessAsUserW activity that crosses session boundaries.

Sysmon EID 10 (process access), EDR token-manipulation telemetry, Windows Security EID 4688/4624 (logon type 9)

T1548.002

Bypass User Account Control

Privilege Escalation

Identify ShellExecuteEx invocations with the runas verb originating from non-Microsoft signed binaries. Alert on elev_win.exe spawning Java or Remote Access.exe in elevated contexts.

Sysmon EID 1 (with elevation token), Windows Security EID 4673/4674, EDR UAC bypass detection rules

T1518.001

Software Discovery: Security Software Discovery

Discovery

Detect periodic, machine-paced wmic.exe queries against root\SecurityCenter2. The campaign fires AntiVirusProduct, AntiSpywareProduct, and FirewallProduct queries roughly every 67 seconds in synchronised batches - a signature of automation rather than hands-on use.

Sysmon EID 1 (wmic.exe command lines), WMI-Activity ETW logs, EDR child-process telemetry

T1016

System Network Configuration Discovery

Discovery

Watch for repetitive 'netsh wlan show interfaces' executions every ~15 seconds with no interactive parent. Correlate with the same parent process running the WMI security queries above.

Sysmon EID 1, Windows Security EID 4688, EDR command-line telemetry

T1036.003

Masquerading: Rename System Utilities

Defense Evasion

File-integrity-monitor on C:\Windows\System32\wbem\. Any creation of wmic.exe.bak or any binary in this directory not signed by Microsoft is a high-confidence indicator of STAC6405/VENOMOUS#HELPER presence.

Sysmon EID 11 (file create), File Integrity Monitoring, EDR file-system telemetry, scheduled disk hash sweeps

T1573

Encrypted Channel

Command and Control

Detect outbound UDP to port 5555 and TCP to port 8041 toward unusual destinations. Treat the listed IPs (84.200.205.233, 213.136.71.246) and the domain sslzeromail[.]run.place as high-confidence network IOCs.

Firewall/NGFW flow logs, NetFlow, DNS resolver logs, web proxy logs, IDS/IPS signatures

T1497.001

Sandbox Evasion: System Checks

Defense Evasion

EDR baseline of normal user activity should make repeated mouse-position polling visible. Cursor coordinate enumeration approximately every 23 seconds from a non-Microsoft process is anomalous.

EDR behavioural telemetry, Sysmon EID 1 (elev_win.exe --mouselocation), UEBA models for human vs. automated activity

T1584.001

Compromise Infrastructure: Domains

Resource Development

Block and alert on the campaign's frontend, payload, and relay domains. Enrich DNS logs with WHOIS metadata so analysts can quickly triage newly observed look-alike domains.

DNS resolver logs, proxy logs, threat-intelligence feed integration, NGFW URL category data

T1555.003

Credentials from Web Browsers

Credential Access

Alert on non-browser processes reading from Chromium 'Login Data' SQLite databases or the Windows DPAPI master keys. Correlate with HeartCrypt-packed binaries or CSC.exe being used for code execution.

Sysmon EID 11 (file open), EDR credential-access detections, DPAPI usage telemetry, browser process child events

Observed Countries4

DE (973)
GB (110)
MX (61)
US (965)