All Posts
Threat Research
Email Security
Operation Social Undertow: A Phishing Campaign Spoofing the Social Security Administration
Threat actors deploy SimpleHelp RAT via sophisticated SSA phishing.
Written by
Pavel Petrenko
Published on
February 2, 2026

Executive Summary 

A technical flowchart titled "Phase 1 to Phase 4" illustrating the "Operation Social Undertow" infection chain. It shows a four-stage process: Phase 1 (Delivery & Lure): A phishing email mimicking a Social Security Administration (SSA) statement is sent via Amazon SES. Phase 2 (Malicious Link): The victim clicks a link leading to a compromised WordPress site that performs a 302 redirect. Phase 3 (Evasion & Filtering): The traffic hits an attacker-controlled .im domain protected by Cloudflare TLS fingerprinting to block automated scanners. Phase 4 (Payload & Decoy): Successful checks result in the delivery of a Malicious Payload (RAT) masquerading as an SSA statement, followed by an auto-redirect to the legitimate ssa.gov website.
This multi-stage attack leverages compromised WordPress sites to deliver a SimpleHelp RAT, cloaked as a Social Security statement, after a highly-verified phishing campaign bypasses email security.

The AegisAI Threat Intelligence team has been monitoring an active and sophisticated phishing campaign, dubbed Operation Social Undertow, that is leveraging a network of compromised WordPress sites to help deliver a remote access tool. Characterized by broad-based, indiscriminate targeting, this campaign poses a widespread threat that has been observed impacting enterprise companies across multiple sectors. Discovered on January 7, 2026, the campaign’s primary objective is the deployment of a SimpleHelp Remote Access Client, likely to facilitate data exfiltration or subsequent compromise events. 

Key Findings

Metric Detail
Discovery Date January 7, 2026
Campaign Phishing via compromised WordPress instances.
Primary Target Broad-based, indiscriminate targeting via spoofing a message from the Social Security Administration.
Payload SimpleHelp Remote Access Client (.exe file).
Sophistication High. Utilizes Cloudflare TLS fingerprinting to evade automated scanning and analysis of attacker-controlled domains.

Technical Analysis

Unlike traditional credential harvesting phishing kits, this campaign's primary objective is to deliver a malicious executable file (My_Social_Security_eStatement_..._Pdf.exe) to the victim's device using a "drive-by download" technique, followed by a redirection to the legitimate SSA website to minimize suspicion. The attack follows a multi-stage redirection and execution flow:

  1. Phishing Email
  2. Initial Entry Vector (Compromised Site)
  3. Malicious Landing Page
  4. Payload Delivery
  5. Decoy Redirection

1. Phishing Email

The emails are sent from compromised users from trusted domains and are designed to mimic legitimate Social Security Administration communications, using subject lines such as “Your Statement Is Ready for Viewing” or “Discover Your Updated Benefits.”

A. Delivery Status: These emails generally don't get classified as spam by popular email clients, and typically pass all authentication headers.

B. Automation: Emails were sent using Amazon SES, suggesting a high level of campaign automation.

C. Infection Flow: Users are lured to click a malicious link embedded in the body, which initially directs them to a compromised WordPress site.    

A screenshot of a professional-looking phishing email using Social Security Administration branding. The header reads "Social Security" next to the official seal, followed by the large text "Your Statement is Now Available". The body text informs the user that their statement has been updated and provides a prominent dark blue "View Statement" button.
Initial Infection Flow: Users are lured by a malicious link in the email body, which first directs them to a compromised WordPress site.

2. Initial Entry Vector (Compromised Site)

The victim initiates the infection flow by clicking a link that leads to a compromised WordPress site, a technique often favored by threat actors as tenured sites have a higher likelihood of evading spam detection.

A. URL: hxxps[://]buntai[.]com/wp-includes/Fubh3trgf[.]php?{victim_email}

B. Redirect: After the cookie pass (containing the victim's IPv6 address) is set, the server serves the malicious landing page. The IPv6 address is being tracked by the attacker controlled domain to check if users have already visited the link, whereas the {victim_email} is used for logging/tracking by the attacker at this stage. The {victim_email} is not passed to the landing page, because the final payload (Malware) does not require user context/pre-filling.

3. Malicious Landing Page

The victim lands on an attacker controlled domain (ex: hxxps[://]ss-a-ref[.]im/VR/), a spoofed page designed to mimic a legitimate Login.gov / SSA intermediary page.

A. Infrastructure: Proxied behind Cloudflare. Cloudflare is used to actively deny access to spoofed user agents, preventing traditional automated threat analysis and sandboxing.

A screenshot of a web browser displaying a "Sorry, you have been blocked" message from Cloudflare. The page includes a large red circle with a white 'X' and technical text explaining that the action triggered a security solution. This is used by attackers to deny access to automated threat analysis tools and sandboxes.
Cloudflare Proxying: Attackers use Cloudflare to actively deny access to spoofed user agents, preventing automated threat analysis and sandboxing of their controlled domains.

B. Visuals: The page typically displays a message like "Check your email" or "Your Statement is Ready" and directs the victim to open the payload, and "hotlinks" CSS and JS assets directly from secure.login.gov in an attempt to spoof the page. Despite linking real assets, the page does not render correctly. The reliance on external assets combined with amateur inline styles (e.g., hardcoded margins) and potentially conflicting CSP (Content Security Policy) headers from the legitimate site causes the layout to break, serving as a potential visual warning to observant victims.

A screenshot of the attacker-controlled landing page at ss-a-ref[.]im/Viewer. The page attempts to spoof a Login.gov and SSA intermediary page but appears visually broken with unformatted blue links and basic text. It displays the header "Your Statement is Ready" above a document icon and instructions to download and open the file.
Broken Spoofing: The attacker's landing page attempts to mimic the SSA login.gov page by hotlinking real assets but fails to render correctly, providing a visual warning to users.

C. IPv6 Tracking: If a tracked IPv6 visits the same attacker controlled domain, the following message is displayed:

A screenshot showing the landing page message displayed when an IPv6 address is recognized as a repeat visitor. Centered on a white card against a dark blue background, red text reads "You have already downloaded this file," followed by a notice asking the user to open their previously downloaded statement.
IPv6 Tracking: The campaign tracks the victim's IPv6 address to detect repeat visits to the attacker-controlled domain, which can then be used to display an alternate message (or block access) to previously tracked users.

4. Payload Delivery

A javascript function automatically triggers the download of the payload via: 

A. Payload URL: hxxps[://]seymu[.]net/public/[.]BT/My_Social_Security_eStatement_2547856324856_Pdf[.]exe

A screenshot of a web browser's download manager showing a completed download of a file named "My_Social_Security_eStatement_2547856324856_Pdf.exe". Although the filename includes "Pdf," the extension is clearly ".exe," indicating an executable file rather than a document.
Payload Delivery URL: The link delivers a SimpleHelp Remote Access Client (RAT) executable file, which is disguised as a Social Security eStatement PDF.

B. Details: The payload is a RAT (Remote Access Trojan) masquerading as a Social Security statement.

A technical snippet of the payload's metadata revealing its true nature. The file description identifies it as "SimpleHelp Remote Access Client," the company name as "SimpleHelp Ltd," and the product name as "Remote Access".
Malicious Payload: The file delivered is a Remote Access Trojan (RAT), disguised as a Social Security statement to trick the victim.

5. Decoy Redirection

After initiating the download and a short delay, the script redirects the user's browser to the legitimate https://www.ssa.gov. The user lands on the real SSA homepage, likely believing the download was a legitimate part of the process.

Decoy Redirection: After the malicious download, the victim is immediately redirected to the real SSA website (ssa.gov), minimizing suspicion and making the victim believe the download was a legitimate part of the process.

Stop the next Social Undertow before it starts. Book your Free Demo

Indicators of Compromise (IOCs)

Organizations are strongly advised to block the following IOCs immediately

Type Indicator
Known Hashes of Payload
(SHA-256)		 2a3f693dc00c01ae5f1b654bc068eea5c9463af30ba082584a74677267b5120f

↗ View on Virustotal
Known Attacker
Controlled Domains (TLD: .im)		 ss-a-ref[.]im
s-aa-refa[.]im
Irs-ref[.]im
irsw-rea[.]im
Known Compromised
Sender Domains		 mocktrade-scheduler[.]com
aurycloth[.]com
2bsip[.]com
brasaf-sa[.]com
idpe[.]org[.]uk
jayanetwork[.]in
nsgrafica[.]ao
n4kitchenhire[.]co[.]uk
tsrtk[.]com
sellescom[.]com[.]br
Known Compromised
WordPress Instances		 xaynhadanang[.]net
syscarelimited[.]com
theteafaq[.]com
shellstarrealty[.]com
suiterobot[.]com
brumateus[.]com
yourdestany[.]com
wartakadin[.]com
buntai[.]com
kenyacrash[.]com
reflectphotoelegance[.]com
cms[.]ultim8e[.]com
cibarrap[.]com
hackmedia[.]net
amanatproperty[.]com
owais-al-hashimi[.]com
arabicwatch[.]net
app[.]fyvello[.]com
garagecoatingpros[.]com
villageofviscount[.]ca
eduka[.]themejr[.]net
ommatrucking[.]com
demo[.]kamleshyadav[.]com
tamilink[.]org[.]uk
settingserver[.]com
certified-mail-envelopes[.]com
dev[.]cxplab[.]com
doel-bereik[.]com
naooko[.]com
aurelianconsultingllc[.]com
kmansin[.]org
lolive[.]skillup[.]com[.]br
meet[.]believersconnect[.]org
bollywoodmash[.]coinbitwallet[.]com
capitalguidex[.]com
bedigitalproject[.]com
malecelebsleaked[.]com
endzone247[.]com
dars360[.]com
indialive[.]net
msgforlove[.]com
3000-club[.]com
mommytaste[.]com
tervalidasi[.]com
mdsservicescontrols[.]com
getmediawise[.]com
discretmature[.]net
microninfo[.]com
api[.]ssstik[.]net
test1[.]thanglon[.]com
epikshocks[.]com
adronestates[.]com
castlemilebrampton[.]com
suzon-suzette[.]fr
scienceinfotech[.]com
venturas[.]newclientdemo[.]com
dietamais[.]com[.]br
greeninovation[.]com
quodb[.]com
misbookrights[.]com
gold-seeds[.]net
vps133808[.]conectemos[.]com
sitevader[.]com
abibimanmall[.]com
naptecprecision[.]com
hanoijeeptours[.]com
helpmom[.]net
cfkb[.]shipsmart242[.]com
capitalimport[.]info
s1[.]financebg[.]com
tostapane[.]net
rakindustrialsupplies[.]com
blog[.]cargeeks[.]net
fremontpiperepairpros[.]com
fresnocprclasses[.]com
febet[.]partners

Don’t Miss the Next Big Threat
Subscribe today to receive updates on the newest cyberattacks, product innovations, and best practices for protecting your organization.

Subscribe

Success! We’ll be in touch soon.
Something went wrong while submitting.
Related topic articles
Read All Articles
Email Security
Technical Guides
Technical Reference: The Architecture of Google Workspace and Microsoft 365 Email Security (Beyond the Defaults)
The Engineering Behind the Defaults: SPF, DKIM, and DMARC Failure Modes Explained
Email Security
How to Shift-Left and Secure Vibe Coding
When your code is written by AI and your CEO is a deepfake, traditional security rules don't apply.
Announcements
AI
Email Security
Agents Protecting the Architects: LangChain Selects Aegis AI as Email Security Partner
LangChain, the leading AI agent platform, partners with Aegis AI's autonomous security agents to defend against AI-powered phishing and email threats.
Complete protection for your email security needs with our native Agentic threat detection
Book your free demo
Links
CompanyProductsBlogCareers
Contacts
About usContacts
Legals
Privacy PolicyTerms & Conditions
© 2025 Aegis AI. All rights reserved.