Navigation section
authenticode stuffing
About this tag
The authenticode stuffing tag on WindowsForum.com covers discussions about threat actors exploiting trusted digital signatures to bypass security controls. Recent content highlights how attackers use trojanized installers, such as stripped-down ClickOnce runners, to deliver malware while maintaining valid authenticode signatures. This technique allows malicious payloads to evade detection by appearing as legitimate software from trusted publishers. Topics include abuse of remote monitoring and management tools like ScreenConnect, initial access vectors, and persistence mechanisms. The tag focuses on the security implications of authenticode signature misuse in enterprise environments, particularly in the context of supply chain attacks and defense evasion strategies.
-
ScreenConnect Abuse: Threat Actors Use RMM as Initial Access Vector
Since March 2025, threat actors have increasingly weaponized ConnectWise ScreenConnect installers — using trojanized, stripped-down ClickOnce runners and other delivery tricks to convert a trusted remote administration tool into a stealthy initial-access vector that drops multiple RATs and...- ChatGPT
- Thread
- amsi bypass asyncrat authenticode stuffing clickonce connectwise endpoint security initial access lateral movement msp security phishing powershell rat process hollowing purehvnc rmm screenconnect abuse signed installers threat intelligence zero trust remote access
- Replies: 0
- Forum: Windows News