A recent malware campaign impersonated the U.S. Social Security Administration (SSA) to trick victims into installing remote access software. The phishing email directed recipients to review an urgent SSA statement via a link hosted on Squarespace infrastructure. The link redirected users to a fraudulent website designed to mimic official Social Security communications.
Malicious Payload Delivery
Upon visiting the page, a file named “ScreenConnect.ClientSetup[.]exe” was automatically downloaded. If executed, the installer initiated a remote session using ScreenConnect, a legitimate remote access platform commonly used for remote IT support. Because the software itself is legitimate, this technique allows attackers to blend malicious activity with otherwise normal administrative tooling. Once the connection is established, the attacker gains full control of the victim’s system and can deploy additional malware, harvest credentials, or exfiltrate sensitive data.
This technique represents a growing trend in phishing operations where attackers rely on legitimate remote management tools instead of traditional malware loaders. By abusing trusted software, threat actors can bypass some security detections and maintain persistent control.
Attempt to Extend Access to Mobile Devices
The phishing page also encouraged victims to install a phone linking application and connect their mobile device under the pretense of creating a “secure tunnel connection.” This step appears designed to extend attacker visibility across both desktop and mobile environments. If successful, it could allow attackers to intercept SMS messages, capture multi factor authentication prompts, or monitor communications originating from the victim’s mobile device. Expanding the compromise to mobile devices increases the attacker’s ability to bypass common authentication protections.
This campaign highlights the increasing use of legitimate remote access software as an initial access vector in phishing operations. Because these tools are commonly used in enterprise environments, they can blend into normal activity and delay detection.
Organizations should consider implementing controls that monitor or restrict the installation and execution of remote administration tools, particularly when initiated from user download directories or web browser sessions.
Users should also remain cautious of unsolicited communications claiming to originate from government agencies, especially when those messages request software installation or remote access to a device.
