securonix.2026.venomous-helper-ssa-rmm-double-compromised-host
SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access
IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsurl
<SSA-themed phishing email link>
domain
gruta.com[.]mx
domain
server.cubatiendaalimentos.com[.]mx
file
SSA_Statement.exe (JWrapper-packaged Windows executable)
domain
<SimpleHelp/ScreenConnect RMM relay endpoint>
Relations
directed infrastructure edgese1redirecte2
confirmed
e2redirecte3
confirmed
e3downloade4
confirmed
e4connecte5
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
url | <SSA-themed phishing email link> |
Reporting states the campaign begins with a phishing email impersonating the U.S. Social Security Administration, instructing the recipient to verify their email and download a purported SSA statement via an embedded link. The specific lure URL value was not published; modeled as a placeholder entry artifact. |
e2 |
domain | gruta.com[.]mx |
Reporting states the embedded link points to a legitimate-but-compromised Mexican business website (gruta.com[.]mx). Reporting characterises the use of the compromised legitimate site as a deliberate strategy to evade email spam filters. |
e3 |
domain | server.cubatiendaalimentos.com[.]mx |
Reporting states the SSA statement is downloaded from a second attacker-controlled domain (server.cubatiendaalimentos.com[.]mx). Reporting states the attacker is believed to have gained access to a single cPanel user account on the legitimate hosting server to stage the binary. |
e4 |
file | SSA_Statement.exe (JWrapper-packaged Windows executable) |
Reporting states the downloaded file is a JWrapper-packaged Windows executable disguised as a document. Reporting states that on execution it is responsible for delivering the SimpleHelp RMM tool. |
e5 |
domain | <SimpleHelp/ScreenConnect RMM relay endpoint> |
Reporting states the installed RMM tooling (SimpleHelp, with ScreenConnect also used in the campaign) provides persistent remote access. The specific RMM relay/tenant endpoint was not published; modeled as a placeholder c2 entity. |
ATT&CK annotations
optional complementary mappingSSA-themed email with embedded link.
Victim runs the disguised JWrapper executable.
SimpleHelp / ScreenConnect used for remote access.
Installs as a Windows service with Safe Mode persistence.
Self-healing watchdog and tooling concealment.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "securonix.2026.venomous-helper-ssa-rmm-double-compromised-host",
"title": "SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access",
"description": "IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.",
"actor_id": "unknown",
"observed_at": "2026-05-04T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"x_source": {
"title": "Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools",
"publisher": "The Hacker News (reporting Securonix research)",
"campaign_name": "VENOMOUS#HELPER",
"url": "https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html",
"published_at": "2026-05-04",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "secondary news report of vendor research (Securonix)"
},
"x_source_title": "SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access",
"x_source_url": "https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html",
"x_iocs": {
"compromised_redirect_host": "gruta.com[.]mx",
"attacker_staging_domain": "server.cubatiendaalimentos.com[.]mx",
"rmm_tools": [
"SimpleHelp",
"ScreenConnect"
],
"lure_theme": "U.S. Social Security Administration statement",
"payload_packaging": "JWrapper-packaged Windows executable",
"campaign_active_since": "2025-04",
"impacted_orgs": "80+ (mostly United States)"
},
"x_limitations": [
"The exact email-sender infrastructure (sending domain/IP) was not published and is not modeled.",
"SimpleHelp / ScreenConnect are legitimate RMM products; the specific attacker tenant or relay endpoint was not published, so the c2 entity is a placeholder.",
"Self-healing watchdog, Windows service registration, and Safe Mode persistence are endpoint behaviours (ATT&CK), not infrastructure, and are excluded from the chain body.",
"Report is dated 2026-05-04, not 2026-05-30."
],
"entities": [
{
"id": "e1",
"type": "url",
"value": "<SSA-themed phishing email link>",
"observed_at": "2026-05-04T00:00:00Z",
"source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
"evidence": [
"Reporting states the campaign begins with a phishing email impersonating the U.S. Social Security Administration, instructing the recipient to verify their email and download a purported SSA statement via an embedded link.",
"The specific lure URL value was not published; modeled as a placeholder entry artifact."
],
"x_placeholder": true,
"x_chain_stage": "email_lure_entry"
},
{
"id": "e2",
"type": "domain",
"value": "gruta.com[.]mx",
"observed_at": "2026-05-04T00:00:00Z",
"source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
"evidence": [
"Reporting states the embedded link points to a legitimate-but-compromised Mexican business website (gruta.com[.]mx).",
"Reporting characterises the use of the compromised legitimate site as a deliberate strategy to evade email spam filters."
],
"x_defanged": true,
"x_chain_stage": "compromised_legitimate_redirector"
},
{
"id": "e3",
"type": "domain",
"value": "server.cubatiendaalimentos.com[.]mx",
"observed_at": "2026-05-04T00:00:00Z",
"source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
"evidence": [
"Reporting states the SSA statement is downloaded from a second attacker-controlled domain (server.cubatiendaalimentos.com[.]mx).",
"Reporting states the attacker is believed to have gained access to a single cPanel user account on the legitimate hosting server to stage the binary."
],
"x_defanged": true,
"x_chain_stage": "attacker_staging_on_compromised_hosting"
},
{
"id": "e4",
"type": "file",
"value": "SSA_Statement.exe (JWrapper-packaged Windows executable)",
"observed_at": "2026-05-04T00:00:00Z",
"source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
"evidence": [
"Reporting states the downloaded file is a JWrapper-packaged Windows executable disguised as a document.",
"Reporting states that on execution it is responsible for delivering the SimpleHelp RMM tool."
],
"x_packaging": "JWrapper",
"x_chain_stage": "rmm_dropper_payload"
},
{
"id": "e5",
"type": "domain",
"value": "<SimpleHelp/ScreenConnect RMM relay endpoint>",
"observed_at": "2026-05-04T00:00:00Z",
"source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
"evidence": [
"Reporting states the installed RMM tooling (SimpleHelp, with ScreenConnect also used in the campaign) provides persistent remote access.",
"The specific RMM relay/tenant endpoint was not published; modeled as a placeholder c2 entity."
],
"x_placeholder": true,
"x_chain_stage": "rmm_remote_access_c2"
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "SSA-themed email lure; sender infrastructure not published."
},
{
"entity_id": "e2",
"role": "redirector",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Compromised legitimate Mexican business site used to pass spam filtering."
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Binary staged via single compromised cPanel account on legitimate hosting -> second compromised-host layer."
},
{
"entity_id": "e4",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "JWrapper packaging is not an archive container (not T024); packaging is delivery formatting, execution is ATT&CK."
},
{
"entity_id": "e5",
"role": "c2",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "Legitimate RMM abused as C2; no clean v1.0 technique (T018 covers chat/storage APIs, not RMM). Candidate for a future 'Legitimate RMM as C2' technique."
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "redirect",
"sequence_order": 1,
"observed_at": "2026-05-04T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Embedded email link points to the compromised gruta.com[.]mx site."
]
},
{
"from": "e2",
"to": "e3",
"type": "redirect",
"sequence_order": 2,
"observed_at": "2026-05-04T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"From the compromised site the victim is taken to the second attacker-controlled domain hosting the executable."
]
},
{
"from": "e3",
"to": "e4",
"type": "download",
"sequence_order": 3,
"observed_at": "2026-05-04T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The purported SSA statement executable is downloaded from server.cubatiendaalimentos.com[.]mx."
]
},
{
"from": "e4",
"to": "e5",
"type": "connect",
"sequence_order": 4,
"observed_at": "2026-05-04T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Execution installs SimpleHelp RMM which connects out for persistent remote access."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.002",
"name": "Phishing: Spearphishing Link",
"tactic": "Initial Access",
"comment": "SSA-themed email with embedded link."
},
{
"technique_id": "T1204.002",
"name": "User Execution: Malicious File",
"tactic": "Execution",
"comment": "Victim runs the disguised JWrapper executable."
},
{
"technique_id": "T1219",
"name": "Remote Access Software",
"tactic": "Command and Control",
"comment": "SimpleHelp / ScreenConnect used for remote access."
},
{
"technique_id": "T1543.003",
"name": "Create or Modify System Process: Windows Service",
"tactic": "Persistence",
"comment": "Installs as a Windows service with Safe Mode persistence."
},
{
"technique_id": "T1564",
"name": "Hide Artifacts",
"tactic": "Defense Evasion",
"comment": "Self-healing watchdog and tooling concealment."
}
]
}