[{"data":1,"prerenderedAt":118},["ShallowReactive",2],{"article-slug-phishing-campaign-abuses-simplehelp-rmm-tool-via-fake-dhl-emails":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":36,"mitre_techniques":37,"mitre_mitigations":53,"d3fend_countermeasures":77,"iocs":82,"cyber_observables":87,"tags":104,"extract_datetime":107,"article_type":108,"impact_scope":109,"pub_date":34,"reading_time_minutes":117,"createdAt":107,"updatedAt":107},"fae486cb-e839-4e36-8ded-b7a32e727279","phishing-campaign-abuses-simplehelp-rmm-tool-via-fake-dhl-emails","Phishing Campaign Abuses Legitimate SimpleHelp RMM Tool via Fake DHL 'Shipment Arrived' Emails","Fake DHL Phishing Emails Drop SimpleHelp Remote Access Tool for Backdoor Access","A new phishing campaign is targeting businesses with convincing emails impersonating the shipping company DHL. The emails, with subject lines like 'Your shipment has arrived,' trick recipients into opening a malicious PDF attachment. Clicking a button within the PDF downloads a Windows screensaver file (.scr) which is a disguised installer for SimpleHelp, a legitimate remote monitoring and management (RMM) tool. The installer is pre-configured to connect to an attacker-controlled server, effectively giving the threat actors a persistent backdoor into the victim's network for further malicious activity.","## Executive Summary\nA new phishing campaign has been identified that leverages social engineering and the abuse of a legitimate remote access tool to compromise businesses. Attackers are sending emails that impersonate the shipping company **DHL** to lure victims into installing a malicious, pre-configured version of the **[SimpleHelp](https://simple-help.com/)** remote support software. The attack provides threat actors with a persistent backdoor into the victim's network, enabling remote control, file transfer, and the deployment of additional malware such as ransomware. The campaign appears to target organizations in the logistics and industrial supply sectors, where shipping notifications are common and less likely to arouse suspicion.\n\n---\n\n## Threat Overview\n**Threat Actor:** The group behind this campaign is currently unspecified.\n\n**Attack Chain:**\n1.  **Initial Access:** The attack begins with a phishing email impersonating DHL, using a subject line like \"Your shipment has arrived.\" The email contains a PDF attachment (e.g., `AWB-Doc0921.pdf`). This is a classic example of [`T1566.001 - Spearphishing Attachment`](https://attack.mitre.org/techniques/T1566/001/).\n2.  **Social Engineering:** The PDF displays a blurred image and a button prompting the user to \"Continue,\" tricking them into taking the next step.\n3.  **Payload Delivery:** Clicking the button downloads a Windows screensaver file (`.scr`), which is a type of executable file. The file is hosted on a compromised domain, in this case, a Vietnamese logistics company's website.\n4.  **Execution & Persistence:** The `.scr` file is a modified installer for the legitimate SimpleHelp RMM tool. When run, it installs the software and pre-configures it to connect to an attacker-controlled C2 server. This provides the attacker with persistent remote access, a technique known as [`T1219 - Remote Access Software`](https://attack.mitre.org/techniques/T1219/).\n\n## Technical Analysis\nThis attack is effective because it abuses a legitimate, signed software application, which may not be flagged by traditional signature-based antivirus. The key components are:\n*   **Lure:** The DHL theme is highly effective against businesses that regularly handle shipments, such as the German industrial supplier identified as a target.\n*   **Multi-Stage Payload:** The use of a PDF linking to an executable (`.scr`) file is a common technique to bypass initial email gateway scans that might block direct executables.\n*   **Living Off The Land (LOTL) Variant:** By abusing a legitimate RMM tool, the attacker's C2 traffic can blend in with normal administrative activity, making it harder to detect on the network. The SimpleHelp tool gives the attacker a full suite of capabilities, including remote desktop, file system access, and command execution.\n\n## Impact Assessment\nOnce the attacker has established a backdoor with SimpleHelp, they have a strong foothold in the victim's network. The potential impact is severe and can include:\n*   **Data Theft:** Exfiltration of sensitive corporate data, intellectual property, and financial information.\n*   **Ransomware Deployment:** The remote access can be used as a staging point to deploy ransomware across the network.\n*   **Lateral Movement:** The attacker can use the compromised machine to pivot and attack other systems within the internal network.\n*   **Credential Theft:** Keystroke loggers or tools like Mimikatz can be deployed to steal user credentials.\n\n---\n\n## IOCs\n| Type | Value | Description |\n|---|---|---|\n| Domain | `longhungphatlogistics[.]vn` | Compromised domain used to host the malicious `.scr` file. |\n| File Name | `AWB-Doc0921.pdf` | Example name of the initial PDF attachment. |\n| File Type | `.scr` | The downloaded payload is a Windows screensaver file, which is an executable. |\n\n## Detection & Response\n**Detection:**\n*   **Application Monitoring:** Monitor for the installation of unauthorized software, especially RMM tools like SimpleHelp, TeamViewer, or AnyDesk. This can be achieved with **[D3-EAL: Executable Allowlisting](https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting)** or simply by monitoring software installation events.\n*   **Network Traffic Analysis:** Look for outbound connections from endpoints to unknown or suspicious domains on ports used by SimpleHelp. Even if the traffic is encrypted, the destination IP may be an indicator.\n*   **Email Gateway Logs:** Search for emails with DHL-themed subjects and PDF attachments from non-DHL sender domains.\n\n**Response:**\n1.  If an unauthorized SimpleHelp installation is found, immediately isolate the host.\n2.  Block the attacker's C2 domain (`longhungphatlogistics[.]vn`) at the network perimeter.\n3.  Uninstall the SimpleHelp software and investigate the machine for any further malicious activity or payloads.\n4.  Reset the credentials of any user who was logged into the machine at the time of compromise.\n\n## Mitigation\n1.  **Application Allowlisting:** Implement strict application control policies that prevent the installation and execution of unauthorized software. This is the most effective technical control against this type of attack.\n2.  **Email Security:** Deploy an advanced email security solution that can perform attachment sandboxing to detect the malicious behavior of the PDF and linked executable.\n3.  **User Training:** Train users to be highly suspicious of unsolicited attachments, even if they appear to be from a known brand. Teach them to verify sender email addresses and to be wary of documents that require downloading additional files.\n4.  **File Extension Visibility:** Ensure that Windows is configured to show file extensions for known file types. This helps users spot that a file like `document.scr` is an executable, not a document.","⚠️ Phishing Alert: Fake DHL 'shipment arrived' emails are dropping a malicious installer for the SimpleHelp RMM tool, giving attackers a backdoor into victim networks. Be cautious with attachments! 📦 #Phishing #Malware #SimpleHelp #RMM","A new phishing campaign impersonates DHL to trick users into installing a malicious, pre-configured version of the legitimate SimpleHelp RMM tool, providing attackers with backdoor access.",[13,14,15],"Phishing","Malware","Cyberattack","high",[18,22,25],{"name":19,"type":20,"url":21},"SimpleHelp","product","https://simple-help.com/",{"name":23,"type":24},"DHL","company",{"name":26,"type":27,"url":28},"Malwarebytes","security_organization","https://www.malwarebytes.com/",[],[31],{"url":32,"title":33,"date":34,"friendly_name":26,"website":35},"https://www.malwarebytes.com/blog/news/2026/04/your-shipment-has-arrived-email-hides-remote-access-software","“Your shipment has arrived” email hides remote access software","2026-04-17","malwarebytes.com",[],[38,42,46,50],{"id":39,"name":40,"tactic":41},"T1566.001","Spearphishing Attachment","Initial Access",{"id":43,"name":44,"tactic":45},"T1219","Remote Access Software","Command and Control",{"id":47,"name":48,"tactic":49},"T1204.002","Malicious File","Execution",{"id":51,"name":52,"tactic":45},"T1105","Ingress Tool Transfer",[54,64,68],{"id":55,"name":56,"d3fend_techniques":57,"description":62,"domain":63},"M1038","Execution Prevention",[58],{"id":59,"name":60,"url":61},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting","Use application control solutions like WDAC to prevent the execution of unauthorized software, including unapproved RMM tools like SimpleHelp.","enterprise",{"id":65,"name":66,"description":67,"domain":63},"M1017","User Training","Educate users to identify phishing lures, especially those related to common business functions like shipping, and to be cautious of unexpected attachments.",{"id":69,"name":70,"d3fend_techniques":71,"description":76,"domain":63},"M1021","Restrict Web-Based Content",[72],{"id":73,"name":74,"url":75},"D3-FA","File Analysis","https://d3fend.mitre.org/technique/d3f:FileAnalysis","Use email and web gateways to scan and sandbox attachments and downloads to detect malicious behavior before the payload reaches the endpoint.",[78,80],{"technique_id":59,"technique_name":60,"url":61,"recommendation":79,"mitre_mitigation_id":55},"The most effective technical countermeasure against the SimpleHelp phishing campaign is Executable Allowlisting, for example, using Windows Defender Application Control (WDAC). This attack relies on tricking a user into running an unauthorized installer (`.scr` file). In a properly hardened environment, this installer would be blocked by default. A WDAC policy should be created based on a 'golden image' of a standard corporate workstation, allowing only known, signed, and authorized applications to run. Since SimpleHelp is not an approved RMM tool in this context, its installer and subsequent executables (`SimpleHelp.exe`) would be prevented from executing, regardless of whether the user was tricked by the phishing email. This shifts the security burden from the fallible user to a preventative technical control, stopping the attack chain before persistence can be established.",{"technique_id":73,"technique_name":74,"url":75,"recommendation":81,"mitre_mitigation_id":69},"To detect this threat at the perimeter, organizations should leverage File Analysis within a secure email gateway or sandbox environment. When the initial email with the `AWB-Doc0921.pdf` attachment arrives, the gateway should automatically detonate it in a sandbox. The analysis should detect that the PDF contains a link to an external resource. The sandbox should then follow this link, download the `.scr` file from the compromised `longhungphatlogistics[.]vn` domain, and execute it. During execution analysis, the sandbox would observe the file attempting to install software, create files in `Program Files`, and establish an outbound network connection. This chain of behavior is highly indicative of a malicious dropper. Based on this analysis, the email gateway can block the email from ever reaching the user's inbox, preventing the initial stage of the attack entirely.",[83],{"type":84,"value":85,"description":86},"domain","longhungphatlogistics[.]vn","Compromised domain hosting the malicious SimpleHelp installer.",[88,93,98],{"type":89,"value":90,"description":91,"context":92,"confidence":16},"process_name","SimpleHelp.exe","The presence of the SimpleHelp executable in an environment where it is not an authorized RMM tool is a strong indicator of compromise.","EDR process monitoring, software inventory lists.",{"type":94,"value":95,"description":96,"context":97,"confidence":16},"network_traffic_pattern","Outbound TCP connections to longhungphatlogistics[.]vn","Network traffic from an internal host to the known malicious C2 domain.","Firewall logs, web proxy logs, NetFlow data.",{"type":99,"value":100,"description":101,"context":102,"confidence":103},"file_name","*.scr","Downloads of Windows screensaver files from web browsers, especially if triggered from a PDF, are highly suspicious.","EDR file creation events, proxy logs.","medium",[13,23,19,105,106,14],"RMM","Remote Access","2026-04-17T15:00:00.000Z","Analysis",{"geographic_scope":110,"industries_affected":111,"other_affected":115},"global",[112,113,114],"Transportation","Manufacturing","Retail",[116],"Logistics-related businesses",5,1776444948369]