
VENOMOUS HELPER / STAC6405 Dual RMM Phishing Campaign Targeting 80+ Organisations
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
The following steps are recommended for organisations that suspect or confirm VENOMOUS#HELPER / STAC6405 activity:
Identify and isolate hosts running 'Remote Access Service' (Windows service whose ImagePath points to C:\ProgramData\JWrapper-Remote Access\). Containment must include both network isolation and a hold on remote-access requests through legitimate IT channels until the host is confirmed clean.
Stop and uninstall the service via SimpleService.exe -uninstall, then delete the C:\ProgramData\JWrapper-Remote Access\ directory tree. Remove the SafeBoot persistence key at HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Remote Access Service.
Hunt for and remove the renamed wmic.exe.bak under C:\Windows\System32\wbem\. The presence of this file alone is a high-confidence indicator that the host was compromised by this campaign.
Audit ScreenConnect installations under C:\Program Files (x86)\ScreenConnect Client*. Any client connecting to sslzeromail[.]run.place or 213.136.71.246 must be removed. Audit firewall rules added under names matching SHRemoteAccessServiceJE_* and SHRemoteAccessServiceSH_* and revert them with netsh.
Reset all credentials that the user logged in with on the affected host. Because the SimpleHelp build provides full keyboard and clipboard access, treat any password, browser session token, or MFA seed used on the host during the compromise window as exposed.
Search for any second-stage payload activity. Sophos observed the operator deploying a HeartCrypt-packed infostealer and an additional ScreenConnect relay in two cases. Hunt for 8776_6713.exe, HideMouse.exe, and outbound traffic to 45.56.162.138.
Rebuild rather than clean if possible. Persistence depth and SYSTEM-level access make a clean reimage the safest recovery path for any host where operator hands-on-keyboard activity is confirmed.
Block the campaign IOCs in this advisory at the email gateway, web proxy, NGFW, and DNS resolver. Submit the file hashes from the IoC section to your EDR for retroactive sweep across the estate.
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
|---|---|---|---|---|
T1566.001 | Phishing: Spearphishing Attachment | Initial Access | Inspect inbound email for links that resolve to .com.mx hosts serving Windows executables. Sandbox-detonate any JWrapper-packaged binary before delivery and pivot on attachment hashes shared in the IoC section. | Email gateway logs, sandbox detonation results, URL rewrite telemetry, EDR file-creation events from outlook.exe / browser processes |
T1219 | Remote Access Software | Command and Control | Alert on any new SimpleHelp or ScreenConnect installation appearing on a host that has no business reason to run an RMM agent. Specifically watch for service binaries in C:\ProgramData\JWrapper-Remote Access\ or C:\Program Files (x86)\ScreenConnect Client*. | Sysmon EID 1/11, Windows service installation events (EID 7045), EDR process-tree telemetry, programs inventory |
T1543.003 | Create or Modify System Process: Windows Service | Persistence | Detect creation of a Windows service whose display name is 'Remote Access Service' and whose ImagePath points outside Program Files. Trigger on SimpleService.exe being invoked with -install or -uninstall flags. | Windows EID 7045, Sysmon EID 1, Service Control Manager logs, registry write events under HKLM\SYSTEM\...\Services |
T1562.009 | Impair Defenses: Safe Mode Boot | Defense Evasion | Alert on any addition to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network. Treat the specific value 'Remote Access Service' as a high-confidence host indicator of this campaign. | Sysmon EID 13, Windows registry auditing, Windows Event Forwarding, EDR registry telemetry |
T1134.001 | Access Token Manipulation: Token Impersonation | Privilege Escalation | Detect non-Microsoft processes that open winlogon.exe with PROCESS_QUERY_INFORMATION + PROCESS_DUP_HANDLE access masks. Correlate with subsequent CreateProcessAsUserW activity that crosses session boundaries. | Sysmon EID 10 (process access), EDR token-manipulation telemetry, Windows Security EID 4688/4624 (logon type 9) |
T1548.002 | Bypass User Account Control | Privilege Escalation | Identify ShellExecuteEx invocations with the runas verb originating from non-Microsoft signed binaries. Alert on elev_win.exe spawning Java or Remote Access.exe in elevated contexts. | Sysmon EID 1 (with elevation token), Windows Security EID 4673/4674, EDR UAC bypass detection rules |
T1518.001 | Software Discovery: Security Software Discovery | Discovery | Detect periodic, machine-paced wmic.exe queries against root\SecurityCenter2. The campaign fires AntiVirusProduct, AntiSpywareProduct, and FirewallProduct queries roughly every 67 seconds in synchronised batches - a signature of automation rather than hands-on use. | Sysmon EID 1 (wmic.exe command lines), WMI-Activity ETW logs, EDR child-process telemetry |
T1016 | System Network Configuration Discovery | Discovery | Watch for repetitive 'netsh wlan show interfaces' executions every ~15 seconds with no interactive parent. Correlate with the same parent process running the WMI security queries above. | Sysmon EID 1, Windows Security EID 4688, EDR command-line telemetry |
T1036.003 | Masquerading: Rename System Utilities | Defense Evasion | File-integrity-monitor on C:\Windows\System32\wbem\. Any creation of wmic.exe.bak or any binary in this directory not signed by Microsoft is a high-confidence indicator of STAC6405/VENOMOUS#HELPER presence. | Sysmon EID 11 (file create), File Integrity Monitoring, EDR file-system telemetry, scheduled disk hash sweeps |
T1573 | Encrypted Channel | Command and Control | Detect outbound UDP to port 5555 and TCP to port 8041 toward unusual destinations. Treat the listed IPs (84.200.205.233, 213.136.71.246) and the domain sslzeromail[.]run.place as high-confidence network IOCs. | Firewall/NGFW flow logs, NetFlow, DNS resolver logs, web proxy logs, IDS/IPS signatures |
T1497.001 | Sandbox Evasion: System Checks | Defense Evasion | EDR baseline of normal user activity should make repeated mouse-position polling visible. Cursor coordinate enumeration approximately every 23 seconds from a non-Microsoft process is anomalous. | EDR behavioural telemetry, Sysmon EID 1 (elev_win.exe --mouselocation), UEBA models for human vs. automated activity |
T1584.001 | Compromise Infrastructure: Domains | Resource Development | Block and alert on the campaign's frontend, payload, and relay domains. Enrich DNS logs with WHOIS metadata so analysts can quickly triage newly observed look-alike domains. | DNS resolver logs, proxy logs, threat-intelligence feed integration, NGFW URL category data |
T1555.003 | Credentials from Web Browsers | Credential Access | Alert on non-browser processes reading from Chromium 'Login Data' SQLite databases or the Windows DPAPI master keys. Correlate with HeartCrypt-packed binaries or CSC.exe being used for code execution. | Sysmon EID 11 (file open), EDR credential-access detections, DPAPI usage telemetry, browser process child events |