Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails

Researchers at Forcepoint X-labs have uncovered a malicious campaign targeting organizations in the UK, US, Canada, and Northern Ireland. The attackers impersonate the U.S. Social Security Administration (SSA) in phishing emails designed to trick recipients into executing a malicious Windows command script.

The campaign ultimately installs ConnectWise ScreenConnect, a legitimate remote management tool, allowing attackers to gain persistent remote access to compromised systems.

Phishing Lures Impersonate the SSA

The attack begins with emails that appear to originate from the Social Security Administration. These messages typically claim urgent issues related to benefits or account verification, creating a sense of urgency that pressures recipients to act quickly.

Victims are prompted to download and execute a malicious .cmd file, which initiates the infection chain.

Malicious Script Disables Windows Defenses

Once executed, the script performs several stealthy actions:

• Disables Windows security protections
• Suppresses system warnings
• Prepares the system for remote access installation

By weakening built-in defenses, attackers increase the likelihood that subsequent payloads will execute without detection.

Payload Concealment via Alternate Data Streams

The campaign uses Alternate Data Streams (ADS), a lesser-known NTFS file system feature, to hide malicious payloads. ADS allows attackers to store hidden data within legitimate files, making detection by traditional security tools more difficult.

This technique enhances persistence and evasion, particularly in enterprise environments relying on signature-based detection.

Silent Installation of ScreenConnect

After preparing the environment, the script silently installs ConnectWise ScreenConnect. While ScreenConnect is a legitimate remote support and management solution, threat actors frequently abuse such tools for unauthorized access.

Once installed, attackers can remotely control the victim’s PC, exfiltrate data, deploy additional malware, or move laterally within a network.

Targeted Regions

The campaign has been observed targeting organizations across:

• United Kingdom
• United States
• Canada
• Northern Ireland

The use of SSA-themed lures suggests a focus on English-speaking targets, though similar tactics could easily be adapted for other regions.

Defensive Recommendations

Organizations should reinforce phishing awareness training and implement controls to prevent execution of unauthorized scripts. Additional recommendations include:

• Blocking or restricting .cmd file execution where unnecessary
• Monitoring for unexpected installation of remote management tools
• Enforcing application allowlisting policies
• Reviewing Windows Defender and security configuration logs for tampering

Living-Off-the-Land Tactics on the Rise

This campaign highlights a growing trend: attackers increasingly rely on legitimate administrative tools to blend into normal IT operations. By abusing trusted software like ScreenConnect, threat actors reduce suspicion and complicate incident response efforts.

Security teams must remain vigilant against phishing-driven attacks that combine social engineering with stealthy post-exploitation techniques.