{“lastseen”:”2026-04-17T08:05:09″,”description”:”An attachment in an email impersonating DHL about a shipment contains a link to a preconfigured SimpleHelp remote access tool\u2014an ideal starting point for attackers to explore a network, steal data, and drop additional malware.\\n\\nA German industrial spare parts and equipment supplier received an email pretending to be from DHL, claiming a shipment had arrived.\\n\\n\\n\\nGiven their line of business, I imagine they get this type of email all the time. But a few details stood out:\\n\\n * The sender’s email address did not belong to DHL,\\n * the receiver address was the general info@ for the company,\\n * the images in the email were hosted on `ecp.yusercontent.com`, \\n * and, most importantly, there was attachment.\\n\\n\\n\\nWhile the remote content is hosted on a legitimate Yahoo webpage commonly used to serve images and other content in Yahoo Mail, this is not something DHL typically uses.\\n\\nThe attachment, a PDF file called `AWB-Doc0921.pdf` is just a blurred image with a Microsoft-branded button that prompts the victim to \u201cContinue\u201d to access a secure file.\\n\\n\\n\\nIn reality, clicking the button downloads a file called `AWB-Doc0921.scr` from the domain `longhungphatlogistics[.]vn`, a domain belonging to a Vietnamese logistics company that was likely compromised to host malware.\\n\\n![Malwarebytes blocks longhungphatlogistics\\\\[.\\\\]vn](https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2026\/04\/MBAM_block.png)Malwarebytes blocks longhungphatlogistics[.]vn\\n\\nA .`scr` file is a Windows file, which is an executable (`.exe`) file used to launch screensavers. They are often used to hide malicious code because Windows trusts them, allowing them to bypass some security layers. \\n\\nIn this case, the file is a modified installer of a remote access tool signed by SimpleHelp.\\n\\nUAC prompt for the signed installer\\n\\nSimpleHelp is a remote support and remote monitoring and management (RMM) platform. It allows remote desktop control, file transfer, diagnostics, and unattended access. In the wrong hands, that’s effectively a support-style backdoor. Attackers can use it for reconnaissance, credential theft, lateral movement, defense evasion, and staging further malware, including ransomware. We’ve seen SimpleHelp abused in this way before. \\n\\nThis is basically a beaconing model. Once installed, the system connects out to the attacker’s server, which is more likely to be allowed through NAT and firewalls than inbound connections. Because the user initiated the install, the attacker gets immediate visibility of the system and can reconnect later whenever the service is running. In the case of a phish, that means the lure only has to get the victim to execute the file once. After that, the attacker\u2019s console can show the new machine as a manageable asset.\\n\\nFor what seems to be a non-targeted attack, the campaign shows a decent level of sophistication by using legitimate components to trick targets into running the remote access tool.\\n\\n## How to stay safe\\n\\nThe good news: once you know what to look for, these attacks are much easier to spot and block. The bad news: they\u2019re cheap, scalable, and will continue to circulate.\\n\\nSo, the next time a \u201cPDF\u201d prompts you to download a file, pause to think about what might be hiding under the hood.\\n\\nBeyond avoiding unsolicited attachments, here are a few ways to stay safe:\\n\\n * Only access your accounts through official apps or by typing the official website directly into your browser.\\n * Check file extensions carefully. Even if a file installs a legitimate tool, it may not be safe to run it.\\n * Enable multi-factor authentication for your critical accounts.\\n * Use an up-to-date, real-time anti-malware solution with a web protection module.\\n\\n\\n\\nPro tip: Malwarebytes Scam Guard recognized this email as a scam.\\n\\n* * *\\n\\n### **Something feel off? Check it before you click. ** \\n\\n**Malwarebytes Scam Guard** helps you analyze suspicious links, texts, and screenshots instantly. \\n\\nAvailable with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android. \\n\\nTry it free \u2192”,”published”:”2026-04-17T07:40:03″,”modified”:”2026-04-17T07:40:03″,”type”:”malwarebytes”,”title”:”\u201cYour shipment has arrived\u201d email hides remote access software”,”source”:””,”references”:””,”id”:”MALWAREBYTES:B2E0AC8DBA63AA895C1F2226CFEA315A”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/04\/your-shipment-has-arrived-email-hides-remote-access-software”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-17T08:05:09″,”description”:”An attachment in an email impersonating DHL about a shipment contains a link to a preconfigured SimpleHelp remote access tool\u2014an ideal starting point for attackers…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-47588","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n