Phishing Email Disguised as DHL Shipment Delivers SimpleHelp Remote Access Tool to German Industrial Supplier

Phishing Email Disguised as DHL Shipment Delivers SimpleHelp Remote Access Tool to German Industrial Supplier

What Happened – A German industrial spare‑parts company received a spoofed DHL notification. The attached PDF prompted the user to “Continue,” which actually downloaded a malicious .scr file from a compromised Vietnamese logistics domain. The file installed a signed SimpleHelp remote‑access tool, giving attackers persistent, stealthy access to the network.

Why It Matters for TPRM –

• Remote‑access tools (RATs) can be turned into “support‑style backdoors,” enabling credential theft, lateral movement, and ransomware staging.
• Supply‑chain partners often receive routine shipping notifications, making this a high‑frequency attack vector that can compromise third‑party environments.
• The use of a legitimate‑looking Microsoft‑branded button and a trusted signing certificate helps the payload evade basic security controls.

Who Is Affected – Manufacturing & industrial equipment vendors; any third‑party logistics or procurement contacts that handle shipment notifications.

Recommended Actions –

• Instruct all vendors to verify sender domains for shipping notifications and block executable .scr files.
• Deploy email‑gateway filtering for spoofed DHL addresses and enforce attachment sandboxing.
• Conduct a rapid inventory of SimpleHelp installations across the supply chain and verify they are authorized.

Technical Notes – Attack vector: spear‑phishing with a malicious PDF → .scr executable → signed SimpleHelp RMM installer. No CVE cited. Data at risk includes credentials, internal network topology, and any downstream customer data accessed after foothold. Source: Malwarebytes Labs