Hackers Are Sending Fake Social Security Emails to 80+ Companies—Then Installing Two Remote Access Tools at Once So a Takedown Can't Cut Them Off

On May 4, 2026, Securonix's threat research team published a detailed analysis of an active phishing operation it has been tracking since April 2025. Securonix calls the activity VENOMOUS#HELPER. The same operation has been independently observed by Sophos, which tracks it as STAC6405, and by Red Canary. Across the three telemetry feeds, the campaign has impacted more than 80 organizations, mostly in the United States, Western Europe, and Latin America.

The technical feature that makes this campaign unusual is not the lure. The lure is a banal Social Security Administration impersonation email that asks the recipient to verify their email and download a benefits statement. What is unusual is what happens after the user runs the executable they downloaded. The malware installs not one but two remote monitoring and management tools simultaneously: a cracked, unlicensed SimpleHelp client built in 2017, and a ScreenConnect agent pointing at a separate command server. Either one is enough to give an operator full keyboard and mouse control of the machine. Both are running at the same time so that, even if security tooling kills one, the other keeps the operator in.

The dual RMM architecture is what Securonix's analysts describe as a "redundant dual channel access architecture." Each tool survives a takedown of the other. The phishing kit is also engineered for cost efficiency. The SimpleHelp build is the leaked 5.0.1 package whose certificate expired in 2018, which means the operators are paying no licensing fee, leaving no vendor paper trail, and still benefiting from blue Windows UAC prompts when the malware asks for elevation. It is a clean, professional supply chain for cheap initial access.

The Lure

The phishing email is plain. It impersonates the U.S. Social Security Administration, telling the recipient that they need to verify their email address and download an SSA statement. The link in the email points at gruta[.]com.mx, a legitimate Mexican domain registered in 2002 that the attackers compromised and repurposed as a phishing frontend. The recipient who clicks lands on a fake SSA verification page, types their email, and is redirected to a payload host at server.cubatiendaalimentos[.]com.mx, the cPanel account of a small Cuban food retailer that the operators silently took over.

The download is an executable named statement5648.exe. The naming is intentional. A user who clicked through the SSA themed flow is expecting a "statement," and double clicking an executable named "statement" is enough to start the chain.

The phishing kit is internationalized. The phishing pages support nine languages, and the campaign reaches recipients in the U.S., Western Europe, and Latin America, with local SSA equivalent impersonations for non U.S. targets. This is a key signal that the operation is not a small one off. It is run by people with the budget and time to localize.

What Statement5648.exe Actually Does

The executable is a JWrapper bootstrap that extracts an encrypted configuration on first run. From there the install proceeds in five visible stages, all of which Securonix walks through:

1. SimpleService.exe registers a Windows service called "Remote Access Service" via the Service Control Manager.
2. SimpleGatewayService.exe launches the Java based remote access client. The Java RAT is shipped as customer.jar with SHA256 ending in b2dc6193.
3. session_win.exe and elev_win.exe set up the interactive desktop access path. elev_win is the elevation helper. It is also the watchdog that polls user presence to time operator activity.
4. SimpleHelp 5.0.1 client registers with the operator's SimpleHelp server at 84.200.205[.]233:5555, using both UDP and HTTP.
5. ScreenConnect agent registers with a second relay at 213.136.71.246:8041, hosted on IONOS Germany. This is the redundant channel.

The installation establishes a Safe Mode persistence entry in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network, ensuring the agent restarts even after a recovery boot. A liveness watchdog tied to C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\sgalive auto restarts the RAT if it dies. From the operator side, all of this is invisible to the user. The "Remote Access Service" sounds like an IT department thing, the UAC prompt has the legitimate blue shield, and nothing on the user's screen suggests that two parallel surveillance channels are now operational.

Why the 2018 Expired Certificate Matters

The cracked SimpleHelp package is signed with a Thawte certificate that was valid from 2015 to 2018. It is therefore expired. On modern Windows, expired certificates do not block execution. They produce the same blue UAC shield as a valid one. The reason this matters is less about evasion and more about economics. The operator pays no SimpleHelp license, leaves no record at SimpleHelp's vendor, and inherits a tool that the security industry has not been actively monitoring for cracked use because it is several major versions behind.

Securonix's writeup notes the absence of any license authentication behavior in the binary, which is what flags it as a cracked or leaked package. It is essentially the malware equivalent of running pirated remote desktop software. The pirated software is still functional. It just leaves no obvious string in your asset inventory.

The Surveillance Loop

After install, the malware enters an automated environmental survey loop. Securonix observed a tight repeated cycle:

• Every 67 seconds, four WMI queries against the Windows SecurityCenter2 namespace, which return the installed antivirus, antispyware, and firewall posture of the machine.
• Every 23 seconds, a user presence poll using elev_win.exe –mouselocation. If the user is at the keyboard, the operator can wait for them to walk away.
• Every 15 seconds, an enumeration of WiFi interfaces using netsh wlan show interfaces. The operator uses the SSID and BSSID to figure out where the machine physically is.

The loop is built for an interactive operator who comes back later. It is not the behavior of a smash and grab credential stealer. It is the behavior of an initial access broker pre staging machines for later sale to a ransomware affiliate. The continuous environmental polling is exactly what a downstream buyer would want to see in a kit before paying for the access.

A useful evasion detail: the malware renames wmic.exe to wmic.exe.bak before issuing its WMI queries. Several EDR products rely on the file name to flag suspicious WMI use. Renaming the binary on disk before invocation defeats those name based rules. Anyone hunting for VENOMOUS#HELPER on a hard drive should look for the renamed file as a high confidence host indicator.

Initial Access Broker, Not Smash and Grab

Securonix's assessment is that the campaign is "consistent with a financially motivated Initial Access Broker (IAB) or ransomware precursor operation targeting the Western economic bloc." That label fits the technical evidence. The kit is built to plant durable, watched access at hundreds of organizations and to wait. The dual RMM design means that even if a victim's IT team finds and removes one tool, the second one is still there. The Safe Mode persistence ensures that a recovery boot does not strip the agent. The user presence polling lets the operator decide when to take an active session.

Initial access brokers monetize their inventory by selling access to ransomware affiliates, business email compromise crews, and crypto theft operators. Scattered Spider operated as an IAB and pleaded guilty in April after $8 million in phishing damage. BlackFile is the same model with a vishing front end. The VENOMOUS#HELPER design suggests the operators are running the same playbook with email as the entry vector and dual RMM as the persistence layer.

RMM tool abuse is itself an industry trend. UNC6692 used a separate RMM driven Chrome extension to steal Active Directory credentials in April. The pattern is consistent. RMM agents are signed, well documented, easily redeployed, and most enterprise IT environments have at least one legitimate RMM in production already, which makes a second one harder to spot in the noise.

What Defenders Should Watch For

Securonix published a full IOC list with hashes and infrastructure that defenders can run against their telemetry. The high signal indicators worth pulling into detection rules immediately:

• File presence of C:\Windows\System32\wbem\wmic.exe.bak. Renamed binaries in System32 should never appear under normal operation.
• SimpleHelp client traffic to 84.200.205[.]233:5555 over UDP or HTTP. Block at the perimeter and alert on internal hits.
• ScreenConnect agent traffic to 213.136.71.246:8041. Same handling.
• Service installation named "Remote Access Service" via Service Control Manager that does not match an approved deployment ticket.
• Registry entries in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network that include unfamiliar service names.
• SHA256 hashes for customer.jar (810a99a7…b2dc6193), SimpleGatewayService.exe (641230a9…1d6af53a), session_win.exe, and elev_win.exe. Add to your blocklist.

For the email layer specifically, two operational steps are highest leverage:

• Block downloads of executable attachments from external sources at the gateway. The campaign's payload is delivered as a .exe through a link in the lure email. A gateway rule that quarantines anything ending in .exe from non allowlisted senders kills the chain at the front door.
• Strip tracking pixels from inbound mail. The lure operators use the standard pixel based open confirmation pattern to validate live recipients before sending the heavier follow up. Removing the pixel removes the operator's ability to confirm the address is real.

What Individual Recipients Can Do

If you got an SSA themed email asking you to verify your address and download a statement, the only correct response is to ignore it. The Social Security Administration does not send statements as executable file downloads. The benefit statement portal lives at ssa.gov/myaccount and never asks you to install software.

If you already ran the file:

• Disconnect the machine from the network. Both RMM agents only function with active outbound connectivity.
• Tell IT or your provider immediately and provide the URL you clicked. The hosts may already be on a blocklist.
• Assume credential theft. Reset every password the user typed on that machine in the last 30 days, prioritizing email and banking.
• Do not just delete the malware. The dual RMM design means a partial cleanup leaves the other channel running. A full reimage is the only safe path.

The Pattern

VENOMOUS#HELPER is a model citizen of the modern initial access broker ecosystem. A government impersonation lure that recipients open. A multi stage payload that quietly installs commercial RMM software. Two channels, expired certificates, automated environmental polling, and a long term plan to sell the access to whoever pays. The campaign has been running for over a year without a major disruption, and the dual RMM design is specifically engineered to survive a takedown of either channel.

For defenders, the lesson is that the email gateway is still the chokepoint. Once the executable runs, the kit is sophisticated enough that a partial response will not clean it up. The cheaper and more reliable place to break the chain is in the inbox, before the user ever clicks the SSA themed link.