Fake SSA Emails Trick Users into Installing ScreenConnect RAT

Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise user computers.

Cybersecurity experts have uncovered ongoing schemes where criminals are exploiting the US Social Security Administration (SSA) to trick people into installing a dangerous Remote Access Trojan (RAT) called ScreenConnect on their computers. Once installed, this program gives the attackers complete remote control, allowing them to steal personal information and install more harmful software.

Researchers at Malwarebytes first noticed these fake emails that inform people that their “Social Security Statement is now available” and urged them to download an attachment or click a link to view it. These emails are designed to look very real, making it hard for people to tell they are fake.

Image credit: Malwarebytes

The links or attachments in these emails lead to the download of a file that installs the ScreenConnect client. To make people think it’s safe, these files are sometimes given misleading names, such as “ReceiptApirl2025Pdfc.exe” or “SSAstatment11April.exe.”

ScreenConnect itself is a real tool used by companies for IT support, letting technicians help users remotely. However, in the hands of criminals, it becomes very dangerous. Once they have control of a computer through ScreenConnect, they can look at files, run programs, and steal sensitive data like bank details and personal identification numbers. The criminals behind this, sometimes called the Molatori group, primarily want to commit financial fraud.

Security experts at Cofense also reported similar phishing campaigns impersonating the SSA. The emails often claimed to provide an updated benefits statement, using mismatched links or hiding malicious links behind buttons.

“While the exact structure of the email changes from sample to sample, the campaign consistently delivers an embedded link to a ConnectWise RAT installer,” Cofense researchers noted in their flash alert.

Their findings indicated that these fake emails aimed to install a ConnectWise RAT, a tainted version of the legit software ConnectWise Control (formerly ScreenConnect). This campaign saw an increase in activity leading up to the 2024 US presidential elections, peaking around mid-November 2024.

What makes these attacks tricky to spot is how the criminals operate. They often send these phishing emails from websites that have been compromised, making the email addresses appear legitimate. They also frequently embed the email content as an image, which stops email filters from being able to read and block harmful messages. Furthermore, because ScreenConnect is a widely used program, regular antivirus software might not automatically flag it as a threat.

This isn’t the first time criminals have misused legitimate remote access tools. As Hackread.com previously reported, similar tactics have been used in fake LinkedIn emails to spread the ConnectWise RAT.

These fake messages mimicked real InMail notifications, using older designs to appear convincing. Cybercriminals are also using sophisticated phishing emails that mimic well-known brands to steal information.

For example, a recent campaign targeted Australian airline Qantas, with fake emails designed to look like real marketing messages from the airline. These emails, discovered by Cofense Intelligence, tricked users into giving away their credit card details and personal information.