SimpleHelp
SimpleHelp is a legitimate remote monitoring and management (RMM) platform that is widely abused by threat actors as a remote access and persistence tool. Reporting in the provided content describes its use as a post-compromise access mechanism, a stealthy RAT-like capability when repackaged or wrapped, and a redundant persistence layer alongside other remote tools. Documented capabilities in the cited reporting include interactive remote control, file transfer, script or command execution, and long-term persistent access. SimpleHelp binaries are described as portable, self-contained, and often embedding their configuration internally; observed artifacts include VirusTotal metadata identifying renamed samples as a SimpleHelp remote access client, child process execution of "remote access.exe", URL paths containing "/access/JWrapper-Remote%20Access-version.txt", and use of the User-Agent "JWrapperDownloader".
The content links SimpleHelp abuse to multiple intrusion sets and campaigns. Iranian actors including MuddyWater/TA450 have used or tested SimpleHelp alongside other RMM tools such as Atera, PDQ Connect, ScreenConnect, and RemoteUtilities. North Korea-linked KONNI campaigns used malware chains that ultimately dropped or installed a SimpleHelp client for persistent remote access. Storm-1175, a Medusa ransomware affiliate, reportedly used SimpleHelp and MeshAgent for persistence after exploiting CVE-2025-10035 in Fortra GoAnywhere MFT. Cybercriminal campaigns targeting trucking and logistics firms used SimpleHelp with other RMM tools to gain access, conduct reconnaissance, harvest credentials, and maintain control in support of cargo theft. Huntress also documented intrusions chaining Net Monitor for Employees Professional with SimpleHelp, including overlap with attempted Crazy ransomware deployment.
Observed infection and delivery vectors in the content include phishing emails, tax-themed phishing, invitation-themed lures, spear-phishing, malicious MSI or EXE installers, JWrapper-wrapped payloads, and follow-on deployment by other malware or backdoors. Specific examples include invitation-themed phishing with filenames such as Ecard9140.exe; IRS-themed campaigns where IRS-doc.msi delivered either ScreenConnect or SimpleHelp; DocuSign-, Adobe Sign-, and Zoom-themed phishing that delivered a JWrapper-packaged SimpleHelp client disguised as Adobe.ClientSetup.exe; and malware chains where tools such as OneDriveUpdater or PowerShell backdoors installed SimpleHelp after initial compromise.
Targets mentioned in the content span U.S. tax filers and organizations, accountants and tax preparers, financial services, healthcare, education, retail, manufacturing, technology, trucking and logistics companies, cryptocurrency and blockchain-focused developers, and organizations targeted by Iranian state-sponsored activity. The content also notes use by threat actors against Israeli entities and broader APAC targeting in KONNI-related campaigns.
High-confidence indicators and artifacts directly mentioned in the content include filenames Adobe.ClientSetup.exe, Remote Access.exe, vhost.exe, IRS-doc.msi, and Ecard9140.exe; installation path C:\ProgramData\JWrapper-Remote Access; service name "Remote Access Service"; domains and infrastructure such as klmgskmtn[.]com, dronemaker[.]org, telesupportgroup[.]com, microuptime[.]com, irs-doc[.]com, gov-irs216[.]net, and multiple IPs including 124.198.131.250, 160.191.182[.]41, 192.144.34[.]42, 192.144.34[.]35, 146.70.149[.]61, 146.70.124[.]102, 37.120.237[.]204, and 37.120.237[.]248. Reported hashes include Adobe.ClientSetup.exe SHA256 fb165ff21d772cd7a2a4b0bb040f0ef88e99c5d40f49ceb74b5047f13413f044 and Remote Access.exe SHA256 77b8f597b7d20d4f7ae84caa5c22b94a8d9e09051f7cdaa17f41890ccf8c77a2.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2025-31161 is a 9.8 CVSS critical severity vulnerability that affects how the CrushFTP file transfer application handles user authentication... CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass.
Initial Access Exploitation of React2Shell (CVE-2025-55182) against crypto staking platforms... We observed this threat actor perform mass scanning to identify targets vulnerable to React2Shell...
“the Cofense Phishing Defense Center (PDC) identified multiple samples using the SimpleHelp Remote Monitoring and Management (RMM) tool… JWrapper-wrapped SimpleHelp is increasingly abused by threat actors as a stealthy Remote Access Trojan (RAT).”
Arctic Wolf has issued a warning regarding CVE-2026-1731, a nearly maximum-severity flaw (CVSS 9.9) in self-hosted BeyondTrust Remote Support and Privileged Remote Access environments... allows unauthenticated attackers to execute operating system commands... added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog... threat actors using the exploit to deploy SimpleHelp...
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...TA450 historically using several RMM tools, such as Atera, PDQ Connect, ScreenConnect, and SimpleHelp...
"To maintain persistence, they abused remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent."
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
4 techniques
Initial Access
Network edge devices and other internet-facing systems remain the front door to victim networks for these groups. Fortinet, Ivanti, SonicWall, SimpleHelp, Microsoft SharePoint, SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack all appear across these three profiles.
SimpleHelp ... is often used in phishing campaigns involving “invitation” lures in which the victim is encouraged to download and execute an invite to a party (e.g. Ecard9140.exe ).
Execution
4 techniques
Execution
SimpleHelp is the primary RMM channel, which the threat actor is using to run scripts and commands, execute automated tasks...
multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, are also exploiting three vulnerabilities - CVE-2024-57727 - in remote monitoring and management tool SimpleHelp to conduct remote code execution
Persistence
2 techniques
Persistence
Privilege Escalation
6 techniques
Privilege Escalation
To facilitate fully interactive desktop access, the SimpleHelp remote access client acquires SeDebugPrivilege via AdjustTokenPrivileges, while "elev_win.exe" – a legitimate executable file associated with the software – is used to gain SYSTEM-level privileges.
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1134.001 Access Token Manipulation: Token Impersonation winlogon.exe token theft via session_win.exe
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1134.002 Access Token Manipulation: Create Process with Token CreateProcessAsUserW with stolen token
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1543.003 Create or Modify System Process: Windows Service Remote Access Service installed via SCM
Stealth
6 techniques
Stealth
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1027 Obfuscated Files or Information Hex-encoded C2 config in JWrapper launch properties
Even when the file is renamed to something like party_invite.exe , or Voicemailaudioext.exe ... A common lure is themed as a Social Security statement ( ssa.msi ) ... using lures such as a document ( docmentfilecsm_jw98evavuqm5gb3.exe ) or an IRS tax-related file ( IRS-Statement_Pr2ui4J9cfA6YEu.exe ).
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1036.003 Masquerading: Rename System Utilities wmic.exe renamed to wmic.exe.bak
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1134.001 Access Token Manipulation: Token Impersonation winlogon.exe token theft via session_win.exe
Defense Impairment
1 technique
Defense Impairment
MITRE ATT&CK Mapping Tactic Technique ID Implementation Resource Development Obtain Capabilities: Tool T1588.002 Legitimate SimpleHelp + ScreenConnect licenses Resource Development Acquire Infrastructure: VPS T1583.003 Fresh /24 subnet on bulletproof hosting Initial Access Phishing T1566 Signed RAT distributed to victims Execution User Execution: Malicious File T1204.002 Legitimately signed binary Persistence Create or Modify System Process: Windows Service T1543.003 Remote Access Service Defense Evasion Subvert Trust Controls: Code Signing T1553.002 Valid DigiCert certificate
Discovery
5 techniques
Discovery
MITRE ATT&CK Matrix Technique ID Technique Name Observed Behavior T1016 System Network Configuration Discovery netsh wlan show interfaces every 15 seconds
...including checks on network connectivity, user activity, and installed security tools.
They directed the SimpleHelp agent to search the desktop for cryptocurrency-related keywords, as well as keywords associated with remote access, "likely to detect if anyone was actively connecting to the machine."
Lateral Movement
1 technique
Lateral Movement
Over the last few years, threat actors have flocked to exploit legitimate remote monitoring and management (RMM) tools—blue-chip IT software like ScreenConnect, LogMeIn Resolve, and PDQ Connect—blurring the line between legitimate IT administration and malicious intrusion.
Command and Control
2 techniques
Command and Control
File IOCs ... AnyDesk.exe ... SimpleService.exe ... elev_win.exe ... KslD.sys ... winupdate.exe (Restic)
On one host, Huntress observed a threat actor installing a malicious AnyDesk RMM instance post-exploitation... On some hosts, the threat actor was observed deploying MeshAgent... On April 7, a threat actor was observed... to install the SimpleHelp RMM on a host as a persistence mechanism.
Other
3 techniques
Other
Hackers used it to download SimpleHelp, from which they made commands including attempting to tamper with Windows Defender.
IOCs tracked for this family
52 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A self-contained remote access tool abused in phishing campaigns, especially invitation-themed lures. Its binaries embed configuration internally and often spawn a child process for the remote access session.
A legitimate remote monitoring and management tool increasingly abused by threat actors for remote access in phishing campaigns.
Legitimate remote monitoring/management (RMM) tool observed as an unrelated artifact within exfiltrated source-code/open-directory materials from a previously exploited webserver.
A legitimate remote support/RMM tool that is being weaponized as a remote access capability. Delivered via phishing and installed silently for long-term access; observed modifying firewall rules to allow inbound connections and communicating with attacker-controlled infrastructure for profiles/C2.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.