Ddos 
Image: Securonix
A sophisticated phishing campaign is proving that the most effective “virus” is often a legitimate piece of IT software. Securonix Threat Research has released a deep-dive analysis into an ongoing operation that has already impacted over 80 organizations, primarily in the United States, by hijacking trusted Remote Monitoring and Management (RMM) tools.
The campaign, active since at least April 2025, bypasses traditional antivirus defenses by deploying vendor-signed software that looks exactly like a standard administrative installation.
The highlights of this campaign is its “dual-channel” architecture. Unlike typical attacks that rely on a single backdoor, these threat actors install two independent RMM tools simultaneously: a self-hosted SimpleHelp 5.0.1 instance and a ScreenConnect relay.
By establishing this redundant infrastructure, the attackers ensure that even if a security team identifies and removes one remote access tool, the other remains active to “self-heal” the connection. This design creates a persistent foothold that survives most standard remediation efforts.
The infection chain begins with a high-pressure social engineering tactic. Victims receive phishing emails impersonating the Social Security Administration (SSA), directing them to verify their email to download a purported “SSA statement”.
Once the user opens the file, the attack transitions from social engineering to silent technical entrenchment:
- Silent Installation: The RMM tools are installed as a Windows service.
- Safe Mode Persistence: The malware modifies registry hives to ensure it remains active even if the machine is rebooted into Safe Mode.
- Automated Surveillance: The system initiates a continuous loop that reports the victim’s security posture back to the attacker every 67 seconds.
The true danger of this campaign is its invisibility to signature-based controls. Because the tools are legitimately signed by reputable vendors, standard security agents see nothing but authorized IT management software.
As the Securonix report warns, “The victim organization is left in a state where the attacker can return at any time, execute commands silently in the user’s desktop session, transfer files bidirectionally, and pivot to adjacent systems, while standard antivirus and signature-based controls see nothing but legitimately signed software”.
The attackers further hide their tracks by renaming system binaries—such as creating a wmic.exe.bak backup—to manipulate local environment variables and evade detection by basic forensic tools.
Because this campaign relies on “living-off-the-land” techniques and reputable software, traditional defenses are insufficient. Securonix emphasizes that remediation requires more than just deleting a service; it requires a deep hunt for renamed binaries and an audit of the SafeBoot registry hive.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
