Navigation section

ScreenConnect Abuse: Threat Actors Use RMM as Initial Access Vector

  • Thread Author
Since March 2025, threat actors have increasingly weaponized ConnectWise ScreenConnect installers — using trojanized, stripped-down ClickOnce runners and other delivery tricks to convert a trusted remote administration tool into a stealthy initial-access vector that drops multiple RATs and establishes persistent, low-noise footholds inside U.S. organizations. (acronis.com)

A cyberattack visualization with malware modules, red/blue data flows, and lateral movement across a network.Background​

ConnectWise ScreenConnect (also marketed as ConnectWise Control) is a widely used Remote Monitoring and Management (RMM) and remote-access product that legitimate IT teams and managed service providers (MSPs) rely on to troubleshoot and administer endpoints. Its legitimate capabilities — unattended deployment, automation, and signed installers — make it an attractive target for abuse. Incidents over the past two years show repeated patterns where attackers gain initial access via ScreenConnect compromises or lure victims into installing trojanized ScreenConnect clients. (scmagazine.com, proofpoint.com)
Security teams across multiple vendors have documented campaigns that reuse trusted ScreenConnect binaries or signer metadata to evade traditional signature-based defenses. Acronis’ Threat Research Unit (TRU) and other analysts have described “Authenticode stuffing” and similar approaches to embed malicious configurations inside signed installers so the executable remains signed while calling out to attacker-controlled infrastructure. This abuse allows adversaries to sidestep simplistic allowlists and AV checks that rely primarily on the presence of a valid digital signature. (acronis.com)

What the recent campaigns look like — high-level summary​

  • Attackers send convincing phishing lures disguised as government, financial, or legal documents (filenames that include “Social Security,” invoices, or legal “agreement” texts are common).
  • The lure carries an executable (e.g., .Client.exe) or link that launches a ClickOnce* or lightweight runner rather than a full-configured installer.
  • The runner retrieves its configuration from attacker-controlled servers and connects the endpoint to a malicious ScreenConnect server hosted on VPS/bulletproof infrastructure.
  • Once the remote control channel is established, automation features of ScreenConnect are abused to deploy additional malware across the host and often to other managed endpoints.
  • Attackers deploy multiple RATs (for redundancy and capability diversity), commonly observed are AsyncRAT and variants of PureHVNC or bespoke PowerShell-based RATs; delivery techniques include staged PowerShell, AMSI bypass, process hollowing, and DLL/.NET loaders. (proofpoint.com, esentire.com, wazuh.com)
These steps convert a single user mistake (executing what appears to be a legitimate support client or an invoice) into a robust operational foothold for long-term access and follow-on operations.

Technical deep-dive​

Delivery: ClickOnce runners and signed-but-stripped installers​

Rather than shipping full installers with hard-coded benign configuration, recent trojanized ScreenConnect campaigns have favored stripped ClickOnce or lightweight runner executables that fetch runtime configuration from remote URLs controlled by the attacker. This design has two practical advantages for attackers:
  • It reduces the amount of static, analyzable configuration baked into the binary (complicating static detections).
  • It lets operators rotate infrastructure, change C2 endpoints, and rapidly repackage runners without resigning binaries.
Security researchers previously documented a related technique called Authenticode stuffing, where attackers insert their own configuration details into the certificate/certificate table or other binary regions while preserving the origin signature. This preserves the “trusted” digital signature, causing naive checks to treat the payload as legitimate. Defenders should assume that a valid signature is necessary but not sufficient evidence of safety. (acronis.com)

Automation abuse and rapid lateral deployment​

Once a host is attached to an attacker-controlled ScreenConnect instance, the adversary can use built-in automation to:
  • Execute scripts and installers silently on multiple connected machines.
  • Push scheduled tasks and PowerShell commands.
  • Move laterally to other managed endpoints under the same MSP/administrative domain.
This automation plus the fact ScreenConnect is often used by legitimate IT staff makes detection challenging: remote access sessions and remote deployments can blend in with legitimate administrative activity unless explicitly audited. Proofpoint and Sophos have separately documented actors using ScreenConnect to deliver AsyncRAT or to proxy credentials and session cookies to capture high-value admin access. (proofpoint.com, news.sophos.com)

Multi-stage execution chains and layered persistence​

Analysis from multiple response teams shows a layered infection chain designed for redundancy and stealth:
  • Initial ClickOnce/runner fetches ScreenConnect client configuration and registers the endpoint to a malicious ScreenConnect server.
  • Attackers push a staged PowerShell chain that:
  • Uses AMSI bypass techniques.
  • Decodes and executes in-memory payloads to avoid writing artifacts to disk.
  • Establishes scheduled tasks for persistence (some actors intentionally schedule frequent reloads to ensure reliability).
  • Additional loaders (batch, VBS, or obfuscated .NET assemblies) stage more complex backdoors and loaders (for example, an "Obfuscator.dll" acting as a loader/persistence helper).
  • Infection forks to deliver at least two RAT families (observed combos include AsyncRAT plus a bespoke PowerShell RAT, and in later variants PureHVNC delivered via process hollowing). (esentire.com, wazuh.com)
The multi-pronged approach increases survivability: if one RAT is detected and removed, the other may retain access.

RAT families and capabilities​

  • AsyncRAT: A common commodity RAT that attackers inject via AutoIt or PowerShell chains; typical capabilities include command execution, file download/upload, key logging, process injection, and persistence via scheduled tasks or service modifications. Analysts have observed AsyncRAT delivered in-memory or through loaders that decrypt and inject the payload into trusted processes like RegAsm.exe or AppLaunch.exe to hide behavior. (esentire.com, proofpoint.com)
  • PureHVNC: A .NET-based hidden-VNC-style RAT that supports interactive remote control via HVNC (Hidden VNC), file transfer, and reconnaissance functions. PureHVNC campaigns frequently rely on obfuscated .NET assemblies, AES-encrypted payloads, and process hollowing or code injection to avoid on-disk signatures. Detection guidance has been circulated by endpoint monitoring projects and detection platforms (Sysmon, Wazuh) to hunt for PureHVNC-specific patterns. (wazuh.com, securityonline.info)
  • Custom PowerShell RATs: Several campaigns have used bespoke PowerShell-based remote access trojans not present in common open-source repositories. These custom RATs often enumerate AV/EDR products, collect system identifiers and OS architecture, and exfiltrate data using Microsoft.XMLHTTP or similar APIs. Their bespoke nature means signature-based detection is poor; behavioral detection (command patterns, encoded payload handling, unexpected Microsoft.XMLHTTP POSTs) is more reliable. (cyberpress.org, esentire.com)

Infrastructure and operational tradecraft​

  • Many campaigns reutilize VPS providers and preconfigured Windows Server 2022 templates to stand up ephemeral ScreenConnect servers quickly. Recurring VM hostnames and template labels in forensic telemetry indicate attackers reusing the same VM images for fast redeployment across new IPs.
  • Bulletproof and cheap VPS/hosting services are a recurring theme. Actors benefit from fast provisioning, flexible payment options, and lax abuse enforcement. Silent hosting and VPS marketplaces — often advertised on criminal forums — make infrastructure churn cheap and resilient to takedown. (silentpush.com, stealthrdp.com)
Operational advantages for attackers:
  • Rapid rotation of endpoints and domains reduces the window defenders have to block or sinkhole C2 servers.
  • Using legitimate control panels (ScreenConnect) as a central management plane lets attackers deploy payloads to numerous victims from a single, hardened control point.
  • Combining automation and staging scripts minimizes manual interaction and increases the speed of compromise.

Social engineering and distribution channels​

The initial emails are not generic spam — they are targeted, context-aware lures designed to bypass human skepticism. Observed lures include:
  • Fake Social Security or government notices.
  • Financial/invoice-themed messages targeting accounts-payable roles.
  • Spoofed meeting invites for Zoom or Microsoft Teams that instruct recipients to download an attached “support” client or to accept a remote assistance request. (proofpoint.com, techradar.com)
Threat actors often use:
  • Compromised consumer or corporate email accounts to improve deliverability.
  • Legitimate marketing/email platforms (SendGrid, Mailjet, etc.) to evade filters.
  • URL shorteners or cloud storage services to host the initial executable.
The combination of realistic content, authenticated-sounding sender addresses, and contextual relevance significantly raises the probability that busy recipients will execute the attachment.

Detection guidance — what defenders should monitor now​

Security teams should treat unexpected ScreenConnect activity as high-risk and hunt proactively:
  • Audit and alert on any newly installed ScreenConnect/ConnectWise client on endpoints that do not normally run RMM software.
  • Log and review ScreenConnect automation events and admin logins. A surge in automation-driven installations or new super-admin additions is a red flag. (news.sophos.com)
  • Monitor for encoded PowerShell assemblies and AMSI bypass patterns, including:
  • Base64-encoded blobs executed via PowerShell with -EncodedCommand.
  • Use of Add-Type or reflection to load .NET assemblies from memory.
  • Frequent scheduled task creations referencing script execution.
  • Detect suspicious process injections and hollowing (e.g., RegAsm.exe, AppLaunch.exe, notepad.exe spawning network-facing connections after a hollowing event).
  • Flag abnormal Microsoft.XMLHTTP requests or repeated POSTs to unknown external domains not associated with enterprise services.
  • Apply application allowlisting and restrict execution of unsigned ClickOnce/installer runners for non-admin users.
  • Triage any signed ScreenConnect installers that fetch remote config — validate that hosted download endpoints and configuration URLs are legitimate and owned by the organization or vendor. A signed binary that calls back to unknown or freely-registered domains is suspicious. (acronis.com)
Recommended sequential containment steps:
  • Isolate infected endpoints and collect volatile memory to capture in-memory-only loaders.
  • Identify and disable malicious ScreenConnect hostnames/subdomains in corporate DNS and any internal ScreenConnect control panels.
  • Rotate any administrator/Machine/Service accounts potentially exposed through ScreenConnect sessions.
  • Hunt for lateral compromise and unusual scheduled tasks across the estate.
  • Consider rebuilding critical endpoints if in-memory-only implants were detected but can’t be fully remediated.

Why this is strategically important — bigger picture​

  • Legitimacy-as-evasion: Attackers increasingly weaponize legitimate administrative tooling to bypass signature-based defense layers. A valid signature no longer guarantees safety when certificates or binary structures are abused to carry attacker-controlled configuration. (acronis.com)
  • Commoditization of access: ScreenConnect “attack kits,” credential-harvesting portals, and RMM-misuse toolkits are now part of a mature underground market. This commoditization lowers the bar to entry for lesser-skilled operators and increases the volume of opportunistic attacks. Major detection vendors have reported multiple distinct clusters abusing ScreenConnect for profit-driven campaigns. (proofpoint.com, itpro.com)
  • MSP-as-high-value target: MSPs and MSP administrators are prime targets because compromising a single MSP account or ScreenConnect instance can provide bulk access to numerous customers. A single misused MSP administrator account has historically led directly to large-scale ransomware and data-exfiltration incidents. Sophos and others documented credential-harvest attacks that escalated into MSP customer compromises. (news.sophos.com)

Notable strengths of current defensive postures — and gaps​

Strengths:
  • Endpoint detection platforms and telemetry systems have matured; in-memory detection and process-injection telemetry can now surface many of the activity patterns that these campaigns rely on.
  • Threat intelligence sharing among vendors (Proofpoint, Sophos, Acronis, eSentire, others) allows defenders to correlate indicators and TTPs quickly.
  • Application allowlisting and network segmentation, when implemented consistently, cut the attack surface significantly.
Gaps and risks:
  • Overreliance on signature/Authenticode checks leads to blind spots when attackers preserve signatures via Authenticode stuffing or by stripping installers and fetching runtime configuration.
  • Many organizations do not monitor the use of remote-access tools centrally, or allow RMM tooling to install outside of managed channels.
  • MSP environments and third-party vendors remain an outsized systemic risk — many organizations delegate trust to suppliers without adequate segmentation or logging of their access. (acronis.com, news.sophos.com)

Indicators of Compromise (IoCs) — verification and caution​

Public reporting has included various IoCs tied to these campaigns (IPs, domains, sample filenames, mutex names). Security teams should treat IoCs as leads, not definitive proof, and validate them within their own telemetry before taking enforcement action.
Independent vendor reporting corroborates broad patterns (phishing lures, ScreenConnect as a loader, AsyncRAT deployments), but some specific indicators reported in single-source writeups (unique domains or IPs) require careful validation because actor infrastructure rotates rapidly and false positives are common. If an IoC comes from a single blog post or press piece without supporting telemetry from other vendors, mark it as unverified and rely on behavioral hunts (e.g., encoded PowerShell, unexpected ScreenConnect automation) rather than blocking single IPs blindly. (proofpoint.com, cyberpress.org)
(Defenders are urged to consult vendor-provided STIX/IOC packages and their enterprise telemetry for validated indicators rather than relying solely on press reports.)

Cross-verification and what is still uncertain​

Multiple independent sources corroborate the central thesis that ScreenConnect and other RMM tools are being abused as initial-access vectors, and that AsyncRAT/PureHVNC-like families are common follow-ons. Acronis TRU, Proofpoint, Sophos, and eSentire have independently reported similar TTPs, giving high confidence to the core narrative: trojanized ScreenConnect installers and phishing to deliver RMM clients are active methods of initial compromise. (acronis.com, proofpoint.com, news.sophos.com, esentire.com)
However, specific domain names, single-source IP addresses, or single-sample mutexes reported by one outlet must be treated cautiously until corroborated by additional intelligence sources or seen in an organization’s own telemetry. Some campaign writeups list domains and IPs that are quickly rotated or taken down; others omit full technical detail for operational security. Where a claim cannot be independently replicated in reputable telemetry or vendor STIX feeds, it should be labeled unverified and used as a hunting hypothesis rather than an enforcement rule. (cyberpress.org)
For historical context on how attackers have repeatedly used administrative credentials, remote tools, and multi-stage implants to persist and pivot across environments, archived advisories remain informative. Those legacy campaign patterns support the conclusion that RMM abuse is a longstanding, evolving tactic.

Practical checklist for Windows shops and MSPs​

  • Inventory RMM usage:
  • Enumerate all ScreenConnect/ConnectWise instances (cloud and on-prem).
  • Identify owners and justify business need for each instance.
  • Harden access:
  • Enforce MFA on all ScreenConnect admin accounts and revoke unused admin roles.
  • Use unique admin accounts with strict least privilege and session recording where possible.
  • Network and execution controls:
  • Block unauthorized ClickOnce and unsigned installer execution for non-admins.
  • Segment MSP/admin access into controlled jump hosts or VPNs with privileged access monitoring.
  • Telemetry and detection:
  • Deploy Sysmon/Sysmon-like telemetry and monitor for process hollowing, RegAsm.exe or AppLaunch.exe anomalies, and frequent scheduled task creation.
  • Create alerts for PowerShell -EncodedCommand usage on non-dev endpoints.
  • Monitor for newly provisioned ScreenConnect servers in DNS and network flows.
  • Incident playbook updates:
  • Prepare forensic steps for in-memory-only loaders (collect RAM, process dumps).
  • Pre-plan host isolation and key-rotation procedures for MSP-admin compromise scenarios.
  • Third-party vetting:
  • Require MSPs and vendors to document remote access tools in use and provide attestations for secure operations.
  • Insist on contract terms allowing rapid suspension of vendor access if suspicious activity is detected.

Conclusion​

The continued abuse of ConnectWise ScreenConnect and similar RMM tooling underscores a critical shift: attackers are weaponizing trusted administrative channels to bypass conventional defences and to scale access across multiple victims. The combination of trojanized installers, ClickOnce runners, layered RAT deployments (AsyncRAT, PureHVNC, bespoke PowerShell trojans), and agile VPS-based infrastructure rotation make these campaigns resilient and dangerous. Multiple independent vendor reports corroborate the trend and the basic technical details, though defenders must validate single-source IoCs before acting.
Organizations must adopt a zero-trust stance toward remote-access tooling: assume any unexpected ScreenConnect activity is suspicious, require explicit approvals and controls for RMM usage, instrument robust telemetry for in-memory and process-injection detection, and treat MSP administrative compromise as a high-probability scenario when drafting incident response plans. The era when a valid digital signature alone equated to "safe" is over — defenders must pivot to behavioral and telemetry-driven controls to detect and stop these increasingly sophisticated RMM-abuse campaigns. (acronis.com, proofpoint.com, news.sophos.com)
Source: Cyber Press Adversaries Leverage Malicious ScreenConnect Installers for Initial Compromise
 

Click to expand...
You must log in or register to reply here.
Back
Top