{
	"id": "2ebc9cb4-99cb-4450-a033-8c9128ebd8b2",
	"created_at": "2026-04-06T00:20:53.557361Z",
	"updated_at": "2026-04-10T03:30:41.447526Z",
	"deleted_at": null,
	"sha1_hash": "c754c47ba6a989f801f04fa14ac2eb5f75d54716",
	"title": "Fake Social Security Statement emails trick users into installing remote tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 270266,
	"plain_text": "Fake Social Security Statement emails trick users into installing\r\nremote tool\r\nBy Pieter Arntz\r\nPublished: 2025-04-30 · Archived: 2026-04-05 14:34:49 UTC\r\nFake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install\r\nScreenConnect, a remote access tool.\r\nThis campaign was flagged and investigated by the Malwarebytes Customer Support and Research teams.\r\nScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely\r\nused by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’\r\ncomputers to perform tasks such as software installation, system configuration, and to resolve issues.\r\nBecause ScreenConnect provides full remote control capabilities, an unauthorized user with access can operate\r\nyour computer as if they were physically present. This includes running scripts, executing commands, transferring\r\nfiles, and even installing malware—all potentially without you realizing.\r\nThis makes ScreenConnect a dangerous tool in the hands of cybercriminals. A phishing group dubbed Molatori—\r\nbecause of the domains they use to host the ScreenConnect client—has been found to lure their targets into\r\ninstalling the ScreenConnect clients by sending emails pretending to come from the Social Security\r\nAdministration (SSA):\r\nhttps://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool\r\nPage 1 of 4\n\n“Your Social Security Statement is now available\r\nThank you for choosing to receive your statements electronically.\r\nYour document is now ready for download:\r\nPlease download the attachment and follow the provided instructions.\r\nNOTE: Statements \u0026 Documents are only compatible with PC/Windows systems.”\r\nThere are some variations to this mail in circulation but the example above shows how legitimate these emails\r\nlook.\r\nThe link in the email leads to the ScreenConnect support.Client.exe, but was found under several misleading\r\nnames like ReceiptApirl2025Pdfc.exe , and SSAstatment11April.exe .\r\nAfter cybercriminals install the client on the target’s computer, they remotely connect to it and immediately begin\r\ntheir malicious activities. They access and exfiltrate sensitive information such as banking details, personal\r\nidentification numbers, and confidential files. This stolen data can then be used to commit identity theft, financial\r\nfraud, and other harmful acts. Experts have identified financial fraud as the primary objective of the Molatori\r\ngroup.\r\nThere are several circumstances that make this campaign hard to detect:\r\nhttps://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool\r\nPage 2 of 4\n\nThe cybercriminals send phishing emails from compromised WordPress sites, so the domains themselves\r\nappear legitimate and not malicious.\r\nThey often embed the email content as an image, which prevents email filters from effectively scanning\r\nand blocking the message.\r\nScreenConnect is a legitimate application which happens to be abused because of its capabilities.\r\nWhat we can do\r\nWhen receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for\r\nphishing:\r\nVerify the source of the email through independent sources.\r\nDon’t click on links until you are sure they are non-malicous.\r\nDon’t open downloaded files or attachments until you are sure they are safe.\r\nUse an up-to-date and active anti-malware solution.\r\nIf you suspect an email isn’t legitimate, take a name or some text from the message and put it into a search\r\nengine to see if any known phishing attacks exist using the same methods.\r\nMalwarebytes users are protected\r\nMalwarebytes will detect suspicious instances of the ScreenConnect client as RiskWare.ConnectWise.CST.\r\nAnd blocks connections to these associated domains:\r\natmolatori[.]icu\r\ngomolatori[.]cyou\r\nmolatoriby[.]cyou\r\nmolatorier[.]cyou\r\nmolatorier[.]icu\r\nhttps://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool\r\nPage 3 of 4\n\nmolatoriist[.]cyou\r\nmolatorila[.]cyou\r\nmolatoriora[.]cyou\r\nmolatoriora[.]icu\r\nmolatoripro[.]cyou\r\nmolatoripro[.]icu\r\nmolatorisy[.]cyou\r\nmolatorisy[.]icu\r\nonmolatori[.]icu\r\npromolatori[.]icu\r\nsamolatori[.]cyou\r\nsamolatori[.]icu\r\numolatori[.]icu\r\nWe don’t just report on data privacy—we help you remove your personal information\r\nCybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can\r\nscan to find out which sites are exposing your personal information, and then delete that sensitive data from the\r\ninternet.\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool\r\nhttps://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool"
	],
	"report_names": [
		"fake-social-security-statement-emails-trick-users-into-installing-remote-tool"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "da6e4fcb-869e-4daf-89bc-cd766dc0dbcd",
			"created_at": "2025-05-29T02:00:03.228476Z",
			"updated_at": "2026-04-10T02:00:03.879655Z",
			"deleted_at": null,
			"main_name": "Molatori",
			"aliases": [],
			"source_name": "MISPGALAXY:Molatori",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434853,
	"ts_updated_at": 1775791841,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c754c47ba6a989f801f04fa14ac2eb5f75d54716.pdf",
		"text": "https://archive.orkl.eu/c754c47ba6a989f801f04fa14ac2eb5f75d54716.txt",
		"img": "https://archive.orkl.eu/c754c47ba6a989f801f04fa14ac2eb5f75d54716.jpg"
	}
}