← feed

securonix.2026.venomous-helper-ssa-rmm-double-compromised-host

SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access

IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.

confirmed IIM v1.1 unknown
Raw JSON
entities5
relations4
techniques1
published2026-05-30 21:24:57

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

url

<SSA-themed phishing email link>

2
redirector

domain

gruta.com[.]mx

IIM-T004
3
staging

domain

server.cubatiendaalimentos.com[.]mx

IIM-T004
4
payload

file

SSA_Statement.exe (JWrapper-packaged Windows executable)

5
c2

domain

<SimpleHelp/ScreenConnect RMM relay endpoint>

Relations

directed infrastructure edges
e1redirecte2 confirmed
e2redirecte3 confirmed
e3downloade4 confirmed
e4connecte5 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e1 url <SSA-themed phishing email link>
Reporting states the campaign begins with a phishing email impersonating the U.S. Social Security Administration, instructing the recipient to verify their email and download a purported SSA statement via an embedded link.
The specific lure URL value was not published; modeled as a placeholder entry artifact.
e2 domain gruta.com[.]mx
Reporting states the embedded link points to a legitimate-but-compromised Mexican business website (gruta.com[.]mx).
Reporting characterises the use of the compromised legitimate site as a deliberate strategy to evade email spam filters.
e3 domain server.cubatiendaalimentos.com[.]mx
Reporting states the SSA statement is downloaded from a second attacker-controlled domain (server.cubatiendaalimentos.com[.]mx).
Reporting states the attacker is believed to have gained access to a single cPanel user account on the legitimate hosting server to stage the binary.
e4 file SSA_Statement.exe (JWrapper-packaged Windows executable)
Reporting states the downloaded file is a JWrapper-packaged Windows executable disguised as a document.
Reporting states that on execution it is responsible for delivering the SimpleHelp RMM tool.
e5 domain <SimpleHelp/ScreenConnect RMM relay endpoint>
Reporting states the installed RMM tooling (SimpleHelp, with ScreenConnect also used in the campaign) provides persistent remote access.
The specific RMM relay/tenant endpoint was not published; modeled as a placeholder c2 entity.

ATT&CK annotations

optional complementary mapping
T1566.002Phishing: Spearphishing Link

SSA-themed email with embedded link.

T1204.002User Execution: Malicious File

Victim runs the disguised JWrapper executable.

T1219Remote Access Software

SimpleHelp / ScreenConnect used for remote access.

T1543.003Create or Modify System Process: Windows Service

Installs as a Windows service with Safe Mode persistence.

T1564Hide Artifacts

Self-healing watchdog and tooling concealment.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "securonix.2026.venomous-helper-ssa-rmm-double-compromised-host",
  "title": "SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access",
  "description": "IIM chain for the VENOMOUS#HELPER campaign reported by Securonix (covered 2026-05-04). A U.S. Social Security Administration (SSA) impersonation email instructs the recipient to verify their address and download a purported SSA statement. The embedded link points to a compromised legitimate Mexican business website used to evade email filters; the executable is then pulled from a second attacker-controlled domain staged through a single compromised cPanel account on a legitimate hosting server. The JWrapper-packaged Windows executable installs the SimpleHelp RMM tool, registers as a Windows service with Safe Mode persistence, and uses a self-healing watchdog. The chain models only the infrastructure layer; the watchdog, service install, and Safe Mode persistence are endpoint behaviour recorded under attack_annotations.",
  "actor_id": "unknown",
  "observed_at": "2026-05-04T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "x_source": {
    "title": "Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools",
    "publisher": "The Hacker News (reporting Securonix research)",
    "campaign_name": "VENOMOUS#HELPER",
    "url": "https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html",
    "published_at": "2026-05-04",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "secondary news report of vendor research (Securonix)"
  },
  "x_source_title": "SSA-themed phishing delivering SimpleHelp RMM via two compromised legitimate hosting layers for persistent remote access",
  "x_source_url": "https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html",
  "x_iocs": {
    "compromised_redirect_host": "gruta.com[.]mx",
    "attacker_staging_domain": "server.cubatiendaalimentos.com[.]mx",
    "rmm_tools": [
      "SimpleHelp",
      "ScreenConnect"
    ],
    "lure_theme": "U.S. Social Security Administration statement",
    "payload_packaging": "JWrapper-packaged Windows executable",
    "campaign_active_since": "2025-04",
    "impacted_orgs": "80+ (mostly United States)"
  },
  "x_limitations": [
    "The exact email-sender infrastructure (sending domain/IP) was not published and is not modeled.",
    "SimpleHelp / ScreenConnect are legitimate RMM products; the specific attacker tenant or relay endpoint was not published, so the c2 entity is a placeholder.",
    "Self-healing watchdog, Windows service registration, and Safe Mode persistence are endpoint behaviours (ATT&CK), not infrastructure, and are excluded from the chain body.",
    "Report is dated 2026-05-04, not 2026-05-30."
  ],
  "entities": [
    {
      "id": "e1",
      "type": "url",
      "value": "<SSA-themed phishing email link>",
      "observed_at": "2026-05-04T00:00:00Z",
      "source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
      "evidence": [
        "Reporting states the campaign begins with a phishing email impersonating the U.S. Social Security Administration, instructing the recipient to verify their email and download a purported SSA statement via an embedded link.",
        "The specific lure URL value was not published; modeled as a placeholder entry artifact."
      ],
      "x_placeholder": true,
      "x_chain_stage": "email_lure_entry"
    },
    {
      "id": "e2",
      "type": "domain",
      "value": "gruta.com[.]mx",
      "observed_at": "2026-05-04T00:00:00Z",
      "source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
      "evidence": [
        "Reporting states the embedded link points to a legitimate-but-compromised Mexican business website (gruta.com[.]mx).",
        "Reporting characterises the use of the compromised legitimate site as a deliberate strategy to evade email spam filters."
      ],
      "x_defanged": true,
      "x_chain_stage": "compromised_legitimate_redirector"
    },
    {
      "id": "e3",
      "type": "domain",
      "value": "server.cubatiendaalimentos.com[.]mx",
      "observed_at": "2026-05-04T00:00:00Z",
      "source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
      "evidence": [
        "Reporting states the SSA statement is downloaded from a second attacker-controlled domain (server.cubatiendaalimentos.com[.]mx).",
        "Reporting states the attacker is believed to have gained access to a single cPanel user account on the legitimate hosting server to stage the binary."
      ],
      "x_defanged": true,
      "x_chain_stage": "attacker_staging_on_compromised_hosting"
    },
    {
      "id": "e4",
      "type": "file",
      "value": "SSA_Statement.exe (JWrapper-packaged Windows executable)",
      "observed_at": "2026-05-04T00:00:00Z",
      "source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
      "evidence": [
        "Reporting states the downloaded file is a JWrapper-packaged Windows executable disguised as a document.",
        "Reporting states that on execution it is responsible for delivering the SimpleHelp RMM tool."
      ],
      "x_packaging": "JWrapper",
      "x_chain_stage": "rmm_dropper_payload"
    },
    {
      "id": "e5",
      "type": "domain",
      "value": "<SimpleHelp/ScreenConnect RMM relay endpoint>",
      "observed_at": "2026-05-04T00:00:00Z",
      "source": "The Hacker News / Securonix VENOMOUS#HELPER (2026-05-04)",
      "evidence": [
        "Reporting states the installed RMM tooling (SimpleHelp, with ScreenConnect also used in the campaign) provides persistent remote access.",
        "The specific RMM relay/tenant endpoint was not published; modeled as a placeholder c2 entity."
      ],
      "x_placeholder": true,
      "x_chain_stage": "rmm_remote_access_c2"
    }
  ],
  "chain": [
    {
      "entity_id": "e1",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "SSA-themed email lure; sender infrastructure not published."
    },
    {
      "entity_id": "e2",
      "role": "redirector",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Compromised legitimate Mexican business site used to pass spam filtering."
    },
    {
      "entity_id": "e3",
      "role": "staging",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Binary staged via single compromised cPanel account on legitimate hosting -> second compromised-host layer."
    },
    {
      "entity_id": "e4",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "JWrapper packaging is not an archive container (not T024); packaging is delivery formatting, execution is ATT&CK."
    },
    {
      "entity_id": "e5",
      "role": "c2",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "Legitimate RMM abused as C2; no clean v1.0 technique (T018 covers chat/storage APIs, not RMM). Candidate for a future 'Legitimate RMM as C2' technique."
    }
  ],
  "relations": [
    {
      "from": "e1",
      "to": "e2",
      "type": "redirect",
      "sequence_order": 1,
      "observed_at": "2026-05-04T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Embedded email link points to the compromised gruta.com[.]mx site."
      ]
    },
    {
      "from": "e2",
      "to": "e3",
      "type": "redirect",
      "sequence_order": 2,
      "observed_at": "2026-05-04T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "From the compromised site the victim is taken to the second attacker-controlled domain hosting the executable."
      ]
    },
    {
      "from": "e3",
      "to": "e4",
      "type": "download",
      "sequence_order": 3,
      "observed_at": "2026-05-04T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The purported SSA statement executable is downloaded from server.cubatiendaalimentos.com[.]mx."
      ]
    },
    {
      "from": "e4",
      "to": "e5",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-04T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Execution installs SimpleHelp RMM which connects out for persistent remote access."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.002",
      "name": "Phishing: Spearphishing Link",
      "tactic": "Initial Access",
      "comment": "SSA-themed email with embedded link."
    },
    {
      "technique_id": "T1204.002",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "comment": "Victim runs the disguised JWrapper executable."
    },
    {
      "technique_id": "T1219",
      "name": "Remote Access Software",
      "tactic": "Command and Control",
      "comment": "SimpleHelp / ScreenConnect used for remote access."
    },
    {
      "technique_id": "T1543.003",
      "name": "Create or Modify System Process: Windows Service",
      "tactic": "Persistence",
      "comment": "Installs as a Windows service with Safe Mode persistence."
    },
    {
      "technique_id": "T1564",
      "name": "Hide Artifacts",
      "tactic": "Defense Evasion",
      "comment": "Self-healing watchdog and tooling concealment."
    }
  ]
}