EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Hackers Mimic Social Security Administration To Deliver ConnectWise RAT

0
Share:

A phishing campaign spoofing the United States Social Security Administration emerged in September 2024, delivering emails with embedded links to a ConnectWise Remote Access Trojan (RAT) installer.

These emails, disguised as updated benefits statements, employed various techniques, including mismatched links and “View Statement” buttons, to deceive recipients.

It initially leveraged ConnectWise infrastructure for its command and control (C2) but later transitioned to dynamic DNS services and threat actor-hosted domains.

Observed activity increased significantly in early to mid-November, peaking around Election Day, suggesting a potential connection to the political climate.

Threat actors are employing sophisticated brand spoofing tactics in email campaigns targeting individuals, which leverage recognizable assets like logos from legitimate entities, such as the Social Security Administration, to create an illusion of authenticity.

By embedding deceptive links that mimic official government webpages, these emails aim to trick recipients into clicking.

This can lead to malware infections or data theft, underscoring the increasing sophistication of cyber threats and the importance of robust cybersecurity measures for individuals and organizations.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important; object-fit: contain;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
A sample Social Security Administration-spoofing email using branded image assets

Through the use of a deceptive, one-time-use mechanism, the embedded link is able to redirect users to a ConnectWise RAT installer when they initially access the link.

However, subsequent attempts to access the same link redirect the user to a legitimate Social Security Administration website, suggesting the use of browser cookies to track previous visits.

By setting a cookie during the first access, the system distinguishes between initial and repeat attempts.

This effectively limits the malicious payload delivery to a single instance per user, making analysis more challenging and increasing the difficulty of identifying and mitigating the threat.

<img class="i-amphtml-intrinsic-sizer" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; outline: 0px; font-size: 18px; vertical-align: baseline; background: transparent; max-width: 100%; display: block !important; object-fit: contain;" role="presentation" src="data:;base64,” alt=”” aria-hidden=”true” />
When accessing the link on subsequent attempts, the site redirects to an official Social Security site.

Threat actors deploy credential phishing campaigns utilizing social engineering techniques as they craft emails mimicking legitimate entities (e.g., the Social Security Administration) to lure victims into clicking on malicious links.

According to Cofense Intelligence, these links often lead to websites disguised as official portals requesting sensitive personal information. Data, including PII, financial details, and security questions like a mother’s maiden name, is harvested for identity theft and account takeover.

The phishing pages may also include malicious downloads such as Remote Access Trojans (RATs), granting attackers remote control over the victim’s device.

This enables threat actors to compromise accounts, steal funds, and potentially exploit the victim’s digital footprint further.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
12:55 am, Apr 20, 2025
weather icon 7°C
L: 6° | H: 8°
scattered clouds
Humidity: 78 %
Pressure: 1008 mb
Wind: 8 mph NE
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 32%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 5:53 am
Sunset: 8:04 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
6° | 8°°C 0.23 mm 23% 10 mph 87 % 1008 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
8° | 16°°C 0.41 mm 41% 9 mph 95 % 1014 mb 0 mm/h
Tue Apr 22 10:00 pm
weather icon
7° | 15°°C 1 mm 100% 7 mph 85 % 1022 mb 0 mm/h
Wed Apr 23 10:00 pm
weather icon
7° | 9°°C 1 mm 100% 8 mph 96 % 1024 mb 0 mm/h
Thu Apr 24 10:00 pm
weather icon
7° | 15°°C 0.8 mm 80% 7 mph 97 % 1027 mb 0 mm/h
Today 1:00 am
weather icon
7° | 8°°C 0 mm 0% 8 mph 78 % 1008 mb 0 mm/h
Today 4:00 am
weather icon
6° | 7°°C 0 mm 0% 8 mph 79 % 1008 mb 0 mm/h
Today 7:00 am
weather icon
7° | 8°°C 0 mm 0% 9 mph 79 % 1008 mb 0 mm/h
Today 10:00 am
weather icon
13° | 13°°C 0 mm 0% 9 mph 69 % 1007 mb 0 mm/h
Today 1:00 pm
weather icon
15° | 15°°C 0 mm 0% 10 mph 60 % 1007 mb 0 mm/h
Today 4:00 pm
weather icon
13° | 13°°C 0.23 mm 23% 7 mph 75 % 1006 mb 0 mm/h
Today 7:00 pm
weather icon
12° | 12°°C 0 mm 0% 6 mph 80 % 1007 mb 0 mm/h
Today 10:00 pm
weather icon
10° | 10°°C 0 mm 0% 4 mph 87 % 1008 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€74,851.32
0.81%
Ethereum(ETH)
€1,420.16
1.59%
Tether(USDT)
€0.88
0.01%
XRP(XRP)
€1.83
0.93%
Solana(SOL)
€122.74
4.17%
USDC(USDC)
€0.88
0.00%
Dogecoin(DOGE)
€0.138286
-0.23%
Shiba Inu(SHIB)
€0.000011
0.57%
Pepe(PEPE)
€0.000007
2.94%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top