Fake DHL Phishing Emails Drop SimpleHelp Remote Access Tool for Backdoor Access
Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails
Related Entities(initial)
Organizations
Products & Tech
Other
Full Report(when first published)
Executive Summary
A new phishing campaign has been identified that leverages social engineering and the abuse of a legitimate remote access tool to compromise businesses. Attackers are sending emails that impersonate the shipping company DHL to lure victims into installing a malicious, pre-configured version of the SimpleHelp remote support software. The attack provides threat actors with a persistent backdoor into the victim's network, enabling remote control, file transfer, and the deployment of additional malware such as ransomware. The campaign appears to target organizations in the logistics and industrial supply sectors, where shipping notifications are common and less likely to arouse suspicion.
Threat Overview
Threat Actor: The group behind this campaign is currently unspecified.
Attack Chain:
- Initial Access: The attack begins with a phishing email impersonating DHL, using a subject line like "Your shipment has arrived." The email contains a PDF attachment (e.g.,
AWB-Doc0921.pdf). This is a classic example ofT1566.001 - Spearphishing Attachment. - Social Engineering: The PDF displays a blurred image and a button prompting the user to "Continue," tricking them into taking the next step.
- Payload Delivery: Clicking the button downloads a Windows screensaver file (
.scr), which is a type of executable file. The file is hosted on a compromised domain, in this case, a Vietnamese logistics company's website. - Execution & Persistence: The
.scrfile is a modified installer for the legitimate SimpleHelp RMM tool. When run, it installs the software and pre-configures it to connect to an attacker-controlled C2 server. This provides the attacker with persistent remote access, a technique known asT1219 - Remote Access Software.
Technical Analysis
This attack is effective because it abuses a legitimate, signed software application, which may not be flagged by traditional signature-based antivirus. The key components are:
- Lure: The DHL theme is highly effective against businesses that regularly handle shipments, such as the German industrial supplier identified as a target.
- Multi-Stage Payload: The use of a PDF linking to an executable (
.scr) file is a common technique to bypass initial email gateway scans that might block direct executables. - Living Off The Land (LOTL) Variant: By abusing a legitimate RMM tool, the attacker's C2 traffic can blend in with normal administrative activity, making it harder to detect on the network. The SimpleHelp tool gives the attacker a full suite of capabilities, including remote desktop, file system access, and command execution.
Impact Assessment
Once the attacker has established a backdoor with SimpleHelp, they have a strong foothold in the victim's network. The potential impact is severe and can include:
- Data Theft: Exfiltration of sensitive corporate data, intellectual property, and financial information.
- Ransomware Deployment: The remote access can be used as a staging point to deploy ransomware across the network.
- Lateral Movement: The attacker can use the compromised machine to pivot and attack other systems within the internal network.
- Credential Theft: Keystroke loggers or tools like Mimikatz can be deployed to steal user credentials.
IOCs
longhungphatlogistics[.]vn.scr file.AWB-Doc0921.pdf.scrDetection & Response
Detection:
- Application Monitoring: Monitor for the installation of unauthorized software, especially RMM tools like SimpleHelp, TeamViewer, or AnyDesk. This can be achieved with D3-EAL: Executable Allowlisting or simply by monitoring software installation events.
- Network Traffic Analysis: Look for outbound connections from endpoints to unknown or suspicious domains on ports used by SimpleHelp. Even if the traffic is encrypted, the destination IP may be an indicator.
- Email Gateway Logs: Search for emails with DHL-themed subjects and PDF attachments from non-DHL sender domains.
Response:
- If an unauthorized SimpleHelp installation is found, immediately isolate the host.
- Block the attacker's C2 domain (
longhungphatlogistics[.]vn) at the network perimeter. - Uninstall the SimpleHelp software and investigate the machine for any further malicious activity or payloads.
- Reset the credentials of any user who was logged into the machine at the time of compromise.
Mitigation
- Application Allowlisting: Implement strict application control policies that prevent the installation and execution of unauthorized software. This is the most effective technical control against this type of attack.
- Email Security: Deploy an advanced email security solution that can perform attachment sandboxing to detect the malicious behavior of the PDF and linked executable.
- User Training: Train users to be highly suspicious of unsolicited attachments, even if they appear to be from a known brand. Teach them to verify sender email addresses and to be wary of documents that require downloading additional files.
- File Extension Visibility: Ensure that Windows is configured to show file extensions for known file types. This helps users spot that a file like
document.scris an executable, not a document.
Timeline of Events
Article Updates
April 19, 2026
Severity increasedOrganized crime groups are leveraging RMM tools like SimpleHelp in a sophisticated campaign to facilitate physical cargo theft and payment diversion, causing billions in losses.
New research reveals organized crime groups are leveraging legitimate RMM tools, including SimpleHelp, in a sophisticated campaign targeting the logistics sector. Attackers use phishing with VBS files and PowerShell to deploy multiple RATs like ScreenConnect, Pulseway, and SimpleHelp. A novel 'signing-as-a-service' technique is used for defense evasion. The primary objective is to facilitate physical cargo theft and payment diversion, leading to an estimated $6.6 billion in losses in North America. This significantly broadens the scope and impact of RMM tool abuse previously reported.
Update Sources:
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.