New SSA-themed phishing campaign installs trojanized ScreenConnect
Threat spotlight - July 10, 2025
Overview
Phishguard has seen a spike in Social Security Administration (SSA)-themed phishing campaigns attempting to harvest user credentials or install trojanized Remote Monitoring and Management (RMM) tools like ScreenConnect, which grant extensive control of the victim’s computer upon installation. After initial access is achieved, attackers have also been seen instructing the user to install and sync Microsoft's Phone Link app to possibly exfiltrate data, read text messages, and capture two-factor authentication codes sent to the connected mobile device.
We believe attackers are taking advantage of recent high-profile disruptions to the SSA as a means of exploiting fear, uncertainty, and doubt in potential victims regarding the status of their accounts with the agency. This also matches a pattern Phishguard observed involving attacks capitalizing on other topical political moments, including the sharp rise in crypto related scams with the launch of $TRUMP in mid-January 2025.
Example SSA phishing attack chain
Social engineering tactics
To bypass security filters, the SSA scams use compromised servers and websites to send their emails, such as those from trusted brands. In simple cases, scammers use free email accounts (like Gmail or Outlook) and simply set the sender display name to “Social Security Administration,” hoping the recipient doesn’t verify the full email address. Attackers also evade security filters with sophisticated techniques such as embedding phishing content in images and using one-time download links.
Many phishing messages attempt to alarm recipients by claiming something is wrong with their Social Security status, demanding immediate action. The messages often include official SSA logos, formatting, and disclaimers to look as authentic as possible.
One recent phishing campaign sent emails with alarming subject lines like “Your SSN is going to be suspended (Case ID - SSA-526487442)” or “Suspicious activity detected in your SSN account”. Some emails claimed that “important changes” have been made to the recipient’s SSA account and urges them to click a link to “sign in”:
Example of a SSA-themed phishing email emphasising “important changes”
Another email alerts the victim to a ‘potential error’ on their most recent report and encourages them to ‘access their updated Statement’ by clicking on a ‘button’ which appears to link to “www.socialsecurity.gov/reviewyourstatement”, but which actually redirects users to “hxxps://ssa-storeattsment[.]com”, a fraudulent site designed to steal credentials:
In recent SSA scams, attackers claim that the recipient’s SSA document is “optimized for viewing on Windows PCs/laptops,” encouraging the user to open it on a Windows device—the only operating system where the trojanized ‘ScreenConnect.exe’ will run:
Phishing email with note that “The document is optimized for viewing on Windows PCs/laptops”
Attack vectors and techniques
PhishGuard recently observed an increase in blocked phishing emails containing links that leverage legitimate WordPress sites as redirects. While the email may not originate from a compromised WordPress server, the attacker embeds links pointing to WordPress sites they control or have compromised, which then redirect victims to malicious domains—such as cheap, disposable `.xyz` sites hosting credential harvesters or remote access payloads.
These phishing sites sometimes include a note stating that the “document” can only be accessed from a Windows device—a tactic meant to guide victims into opening the .exe file on a platform where it will successfully execute. For example:
An email might also originate from legitimate but compromised infrastructure (e.g. a small business domain), making the sender’s address appear less suspicious. These legitimate domains may not be blacklisted by spam filters, allowing the phish to slip through. In some cases, the attackers also register lookalike domains or create subdomains that include terms like “ssa” or "social-security" to further disguise the scam. Using legitimate but unauthorized servers allows the emails to bypass basic email authentication checks; the messages pass SPF and DKIM validation because the sending domain exists–it’s just not owned or operated by the SSA.
A distinctive aspect of the observed SSA phishing campaign is the use of a trojanized version of ScreenConnect, a legitimate remote IT support tool commonly used by businesses. The variant identified by Phishguard is delivered via a malicious link in the phishing message. When clicked, the link downloads a ScreenConnect client hosted on Bitbucket at hxxps://bitbucket[.]org/iojuhygfrtdtyguygudu/qsxd/downloads/SocialSecurityAdminUpd05212025.exe. The trojanized client communicates with pulseriseglobal[.]com, likely for malicious follow-on activity (e.g., command and control, or download of additional payloads such as infostealers or ransomware).
With the trojanized client installed on the victim’s system, the attacker essentially has the same level of control as an IT administrator, allowing them to:
Gain full remote control: View and interact with the victim's entire screen, and control the mouse and keyboard as if they were physically present at the machine.
Execute commands and scripts: Run commands in the background using tools like Command Prompt and PowerShell to reconfigure the system, disable security software, or perform reconnaissance on the network.
Manage files: Freely transfer files to and from the victim's computer. This allows them to exfiltrate sensitive data or upload additional malicious tools, such as ransomware or spyware.
Access system-level components: Interact with critical system utilities, including the Task Manager to kill processes, the Registry Editor to make persistent changes, and the File Explorer to navigate the entire file system.
Email item flagged at delivery and retracted, preventing the trojan from reaching endpoints
In some cases, the malicious links in the phishing messages direct users to a site that instructs them to run the malicious ScreenConnect executable and then sign in to Microsoft's Phone Link App using their Microsoft account credentials.
As shown in the images below, the attack begins when a user is lured into accessing the phishing page hxxps://redplay[.]store/statement/ssa. In this version of the attack, the user is instructed to follow steps on the phish landing page to download what they believe is their social security statement, but is in fact the malicious executable ‘ssa.statement.exe’ disguised as a macOS package (`ssa.statement.pkg`). Once downloaded, the victim must double-click the executable file to launch the trojanized version of ScreenConnect, which grants the attacker control over their system. The first two steps on the phishing landing page instruct the user to download and run the malicious ScreenConnect client, as the attacker needs system-level access before proceeding.
With the system now compromised, the remaining steps instruct the victim to access and grant permissions to the legitimate Microsoft Phone Link app. Phone Link, a syncing application developed by Microsoft to connect Windows PCs to Android and iOS mobile devices, is used by attackers in this context to establish a communication channel without requiring physical access to the mobile device or its passcode.
Because the attacker already controls the PC via the trojanized version of ScreenConnect, they can monitor and manipulate the device pairing process. They essentially "look over the shoulder" of the user, ensuring the connection is approved and established between the PC and the user's smartphone.
Once Phone Link is connected, the attacker gains indirect access to the victim's mobile device through the synced connection on the compromised computer. This allows them to:
Read SMS messages, potentially capturing two-factor authentication (2FA) codes
View notifications from various apps
Access photos, contacts, call history and clipboard content
Make calls
Mirror the phone's screen to interact with mobile apps directly via the compromised PC
Impact
Personal impact:
Direct financial loss: In 2024, email was the method of contact for 25% of fraud reports. Of these, 11% resulted in financial loss, amounting to an aggregate loss of $502 million and a median loss of $600 per incident.
Compromise of personal accounts leading to identity theft: Phishing campaigns are a primary method for attackers to obtain personal information, contributing to 1.1 million identity theft reports in 2024, with credit card fraud and government benefits fraud being top categories.
Significant time burden for victims: Victims of identity theft, often initiated through phishing, face substantial time burdens, with tax-related cases averaging over 22 months (676 days) for resolution in Fiscal Year 2024.
Organizational impact
Phishing as leading breach method: Comcast research shows 67% of all breaches start with someone clicking on a seemingly safe link.
Credential theft via phishing: According to Picus Security, credential theft incidents spiked in 2024 by 300% compared to previous years.
Prevalence of Remote Access Tools (RMM) used in ransomware attacks: ThreatDown has reported on the increased use of legitimate Remote Monitoring and Management (RMM) tools by ransomware gangs in their attacks.
Mitigation and detection
Defending against SSA-themed phishing requires both individual and organizational mitigations, such as:
Cyber hygiene: Avoid clicking links unless you have verified they are not malicious; keep all software up-to-date; disable Office macros.
Intercept phishing emails: Use advanced email security filters to stop scams before they reach inboxes. Cloudflare Email Security can detect SSA impostor emails in real time using Email Detection Fingerprints (EDF) and tailored detections, like those sampled below:
SocialSecurityAdministration.Link.Text.URL_Shorteners - This detects SSA-branded messages that conceal malicious URLs behind link shorteners.
SocialSecurityAdministration.Recent_Domain - Domain age is considered; newly-registered SSA lookalikes are a red flag.
Analyze suspicious behavior: Use tools like Microsoft Defender XDR or CrowdStrike Falcon to detect unexpected use of RMM tools like ScreenConnect.
Regularly back up critical data: Successful phishing attacks may lead to installation of follow-on payloads such as ransomware or wipers, so backups are critical. Regularly back up critical data, with copies stored offline.
The Cloudflare PhishGuard and Email Detection teams deployed a series of detections to block malicious SSA-related emails. These detections evaluate domain reputation, alongside capabilities to identify suspicious Government sentiment and branding within the messages. We combine these high-confidence detections in our production environment along with proactive threat hunting techniques to identify emerging email-based threats. Additionally, these detections leverage our machine learning models, which analyse email content, sentiment and metadata to detect and flag malicious messages.
