Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
An active phishing campaign has been seen targeting multiple vectors since at least April 2025, with official Remote Monitoring and Management (RMM) software as a means of establishing continuous remote access to vulnerable hosts.
The work, named in code YOU WERE A HELPERaffected more than 80 organizations, most of them in the US, according to Securonix. It shares overlap with the collections previously followed by Red Canary and Sophos, the latter of which has given it the moniker STAC6405. Although it is not yet clear who is behind the campaign, the cybersecurity company said it is aligned with the financially motivated Initial Access Broker (IAB) or a pre-ransomware operation.
“In this case, the custom RMMs SimpleHelp and ScreenConnect were used to bypass protections as they were legitimately installed by an unsuspecting victim,” said researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee in a report shared with Hacker News.
Putting aside the fact that the use of official RMM tools can avoid detection, the deployment of both SimpleHelp and ScreenConnect shows an attempt to create a “redundant two-channel access structure” that allows continued operation even when either of them is detected and blocked.
It all starts with a phishing email impersonating the US Social Security Administration (SSA), where the recipient is instructed to verify their email address and download a targeted SSA statement by clicking on a link embedded in the message. The link points to a legitimate-but-compromised Mexican business website (“gruta.com[.]mx”), indicating a deliberate strategy to avoid email spam filters.
The “SSA statement” is then uploaded to a domain controlled by the second attacker (“server.cubatiendaalimentos.com[.]mx”), the executable responsible for delivering the SimpleHelp RMM tool. It is believed that the attacker gained access to one cPanel user account on the official hosting server to install the binary.
As soon as the victim opens a Windows packaged JWrapper executable, assuming it is a document, the malware installs itself as a Windows service with Safe Mode persistence, ensures that it runs as a “healing dog” that restarts automatically when killed, and periodically lists all security products registered using rootSecurity2 for WMI all security products for WMI and Center2 users. 23 seconds.
To facilitate fully interactive desktop access, the SimpleHelp remote access client receives SeDebugPrivilege via AdjustTokenPrivileges, while “elev_win.exe” – the official executable file associated with the software – is used to gain SYSTEM-level privileges. This, in turn, allows the operator to read the screen, enter buttons, and access user content resources.
This advanced remote access is then exploited to remove and install ConnectWise ScreenConnect, which provides a fallback communication method if the SimpleHelp channel is taken down.
“The deployed version of SimpleHelp (5.0.1) provides a set of remote management capabilities,” the researchers said. “The victim’s organization is left in a situation where the attacker can return at any time, silently execute commands on the user’s desktop session, transfer files in duplicate, and rotate to nearby systems, while standard anti-virus and signature-based controls see nothing but legally signed software from a reputable UK vendor.”
