{"id":43719,"date":"2026-02-17T18:00:51","date_gmt":"2026-02-17T10:00:51","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/17\/hackers-abuse-screenconnect-to-hijack-pcs-via-fake-social-security-emails\/"},"modified":"2026-02-17T18:00:51","modified_gmt":"2026-02-17T10:00:51","slug":"hackers-abuse-screenconnect-to-hijack-pcs-via-fake-social-security-emails","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/17\/hackers-abuse-screenconnect-to-hijack-pcs-via-fake-social-security-emails\/","title":{"rendered":"Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails"},"content":{"rendered":"\n<p>A new wave of cyberattacks is stalking organisations across the UK, US, Canada, and Northern Ireland. According to the latest research from Forcepoint X-labs, attackers are impersonating the US Social Security Administration (SSA) to bypass security and take total control of private computers.<\/p>\n<p>The report, which was shared with Hackread.com, reveals that the attack succeeds by weakening the system\u2019s built-in defences rather than relying on complex new viruses.<\/p>\n<h3><strong>Breaking the Alarms<\/strong><\/h3>\n<p>It starts with an email that looks official but is riddled with red flags, like the fake domain <code>SSA.COM<\/code> and the misspelling of Statement as &#8220;eStatemet.&#8221; If a user falls for the bait and opens the attached .cmd script, the computer quietly begins to sabotage its own defences.<\/p>\n<p>The X-labs team&#8217;s <a href=\"https:\/\/www.forcepoint.com\/blog\/x-labs\/screenconnect-attack\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">report<\/a> noted that the script\u2019s first job is to check for administrator powers using a technique called PowerShell auto-elevation. Once it has control, it kills <a href=\"https:\/\/hackread.com\/windows-defender-smartscreen-vulnerability-phemedrone-stealer\/\" target=\"_blank\" data-type=\"post\" data-id=\"111892\" rel=\"noreferrer noopener\">Windows SmartScreen<\/a> (the system that usually blocks suspicious apps from running) by modifying the computer&#8217;s registry. It also strips away the Mark-of-the-Web, a hidden digital tag Windows uses to identify files from the internet.<\/p>\n<p>Further investigation revealed the script even uses Alternate Data Streams (ADS) to hide its tracks. Without these alerts, the hackers can perform a silent installation of an MSI file without a single warning appearing on the screen.<\/p>\n<div>\n<figure><a href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails.png\"><img loading=\"lazy\" decoding=\"async\" width=\"803\" height=\"525\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails.png\" style=\"aspect-ratio:1.5295453187548544;width:711px;height:auto\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails.png 803w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-300x196.png 300w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-768x502.png 768w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-380x248.png 380w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-800x523.png 800w\" sizes=\"auto, (max-width: 803px) 100vw, 803px\" alt=\"Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails\" \/><\/a><figcaption>Sample email (Source: Forcepoint)<\/figcaption><\/figure>\n<\/p><\/div>\n<h3><strong>A Tool for Good, Used for Evil<\/strong><\/h3>\n<p>Once the guards are down, the script performs a silent installation of ConnectWise <a href=\"https:\/\/hackread.com\/connectwise-screenconnect-tops-abused-rats-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">ScreenConnect<\/a>. In a normal office, this is a legitimate tool for IT support. However, here, hackers are weaponising it as a Remote Access Trojan (<a href=\"https:\/\/hackread.com\/tag\/RAT\/\" target=\"_blank\" rel=\"noreferrer noopener\">RAT<\/a>) to maintain a permanent &#8220;backdoor&#8221; into the network. Researchers noted that the software is hardcoded via a System.config file to call back to a specific server:<\/p>\n<ul>\n<li>\u00a0Port: 8041<\/li>\n<li>Address: dof-connecttop<\/li>\n<li>Location: The &#8220;Aria Shatel Company Ltd&#8221; network in Iran.<\/li>\n<\/ul>\n<p>The attack uses a specific version of the software, <code>25.2.4.9229<\/code>, which carries a revoked (cancelled) security certificate. As we know it, using a signed but cancelled certificate helps the malware look legitimate to some security tools. <\/p>\n<p>It is worth noting that the hackers aren&#8217;t just looking for random files; they are specifically targeting high-value data sectors like government, healthcare, and logistics. The script even forces a restart of the <a href=\"https:\/\/hackread.com\/windows-malware-pulsar-rat-live-chats-steal-data\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Explorer<\/a> process to ensure these security changes take effect immediately.<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<div>\n<figure><a href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"324\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-1.png\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-1.png 614w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-1-300x158.png 300w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/02\/Hackers-Abuse-ScreenConnect-to-Hijack-PCs-via-Fake-Social-Security-Emails-1-380x201.png 380w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" alt=\"Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails\" \/><\/a><figcaption>Attack chain (Source: Forcepoint)<\/figcaption><\/figure>\n<\/p><\/div>\n<p>This discovery highlights a growing trend where cybercriminals don&#8217;t bother writing new viruses; they simply hijack the very tools your IT department uses every day. The most effective way to stay protected, as per security experts, is to treat every unexpected government attachment as a potential threat to your network.<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" rel=\"author\"> \t\t\t\t\t\t\tDeeba Ahmed\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" rel=\"author\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tDeeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform\u2019s trusted coverage.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new wave of cyberattacks is stalking organisations ac [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-43719","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43719","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43719"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43719\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43719"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43719"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43719"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}