← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access
WHITE celestre 2026-05-08 Modified: 2026-05-08
17
IOCs
MEDIUM VOLUME
Phishing campaigns leveraging remote management tools is nothing new. Securonix Threat Research has conducted in-depth dynamic analysis of an ongoing phishing campaign targeting multiple vectors, active since at least April 2025. The campaign has impacted over 80 organizations, predominantly in the United States, spanning multiple sectors. This campaign leverages vendor-signed Remote Monitoring and Management (RMM) software to establish silent, persistent access. In this case, a customized SimpleHelp and SecureConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim. This campaign appears to have been tracked previously by Sophos (tracked as STAC6405) and Redcanary independently while the indicators and behavior within this advisory support and extend the depth of their respective research.
mx domainindex datacomdirect payloadurl ipv4simplehelp c2udphttp 5555ipv4ionos deas8560fqdn url
Indicators of Compromise (17)
All IPv4 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
IPv4 84.200.205.233 CC=DE ASN=AS44066 accelerated it services & consulting gmbh 2026-05-08
FileHash-SHA256 11914d10b51b5a96606ae606b5ab70d79550e36c1cce94a86134107c59075e0c 2026-05-08
FileHash-SHA256 3e4b3559fdbe584e19a1ff9b3142b429c6fb91aaa63b5c922c8c5b32c38e426a 2026-05-08
FileHash-SHA256 641230a9f3091bdd38d04c6df96062bfc82dfc4ff6f663ceb522d3881d6af53a 2026-05-08
FileHash-SHA256 76d85124db2778baecee24cc5ad56c9a3060c41c5b3c1b5cdc7f0435e0f77cac 2026-05-08
FileHash-SHA256 810a99a7d6696a36491530e286476b4cf8a819a47fb5e3801fdfecfdb2dc6193 2026-05-08
FileHash-SHA256 9369d7194ab03362e9e7af022a48bc6d4e7d91a6ab7c4b5cf5d90abbcd8c7012 2026-05-08
FileHash-SHA256 97f801e750cfc2d4558020fb246782e034fd6101d75a59d8915b4f2b2b50ebd9 2026-05-08
FileHash-SHA256 d953dfbe8d91dc9fafad0a6117e1276fa636d4ae1b6a4d81616ff2446cf09234 2026-05-08
FileHash-SHA256 dbdddea03c3fc4c2574ce4221450ec86221ebc615c4915c4c4eb3f2a5e3f5b25 2026-05-08
URL http://84.200.205.233:5555 2026-05-08
URL http://server.cubatiendaalimentos.com.mx/~tiendazoycom/sns/ 2026-05-08
URL http://server.cubatiendaalimentos.com.mx/~tiendazoycom/sns/statement5648.exe 2026-05-08
URL http://sslzeromail.run.place:8041/ 2026-05-08
domain gruta.com.mx 2026-05-08
hostname server.cubatiendaalimentos.com.mx 2026-05-08
hostname sslzeromail.run.place 2026-05-08
References (1)
↗ https://www.securonix.com/blog/venomous-helper-phishing-campaign