Since March 2025, threat actors have increasingly weaponized ConnectWise ScreenConnect installers — using trojanized, stripped-down ClickOnce runners and other delivery tricks to convert a trusted remote administration tool into a stealthy initial-access vector that drops multiple RATs and establishes persistent, low-noise footholds inside U.S. organizations.
ConnectWise ScreenConnect (also marketed as ConnectWise Control) is a widely used Remote Monitoring and Management (RMM) and remote-access product that legitimate IT teams and managed service providers (MSPs) rely on to troubleshoot and administer endpoints. Its legitimate capabilities — unattended deployment, automation, and signed installers — make it an attractive target for abuse. Incidents over the past two years show repeated patterns where attackers gain initial access via ScreenConnect compromises or lure victims into installing trojanized ScreenConnect clients. (proofpoint.com)
Security teams across multiple vendors have documented campaigns that reuse trusted ScreenConnect binaries or signer metadata to evade traditional signature-based defenses. Acronis’ Threat Research Unit (TRU) and other analysts have described “Authenticode stuffing” and similar approaches to embed malicious configurations inside signed installers so the executable remains signed while calling out to attacker-controlled infrastructure. This abuse allows adversaries to sidestep simplistic allowlists and AV checks that rely primarily on the presence of a valid digital signature.
Background
ConnectWise ScreenConnect (also marketed as ConnectWise Control) is a widely used Remote Monitoring and Management (RMM) and remote-access product that legitimate IT teams and managed service providers (MSPs) rely on to troubleshoot and administer endpoints. Its legitimate capabilities — unattended deployment, automation, and signed installers — make it an attractive target for abuse. Incidents over the past two years show repeated patterns where attackers gain initial access via ScreenConnect compromises or lure victims into installing trojanized ScreenConnect clients. (proofpoint.com)Security teams across multiple vendors have documented campaigns that reuse trusted ScreenConnect binaries or signer metadata to evade traditional signature-based defenses. Acronis’ Threat Research Unit (TRU) and other analysts have described “Authenticode stuffing” and similar approaches to embed malicious configurations inside signed installers so the executable remains signed while calling out to attacker-controlled infrastructure. This abuse allows adversaries to sidestep simplistic allowlists and AV checks that rely primarily on the presence of a valid digital signature.
What the recent campaigns look like — high-level summary
- Attackers send convincing phishing lures disguised as government, financial, or legal documents (filenames that include “Social Security,” invoices, or legal “agreement” texts are common).
- The lure carries an executable (e.g., .Client.exe) or link that launches a ClickOnce* or lightweight runner rather than a full-configured installer.
- The runner retrieves its configuration from attacker-controlled servers and connects the endpoint to a malicious ScreenConnect server hosted on VPS/bulletproof infrastructure.
- Once the remote control channel is established, automation features of ScreenConnect are abused to deploy additional malware across the host and often to other managed endpoints.
- Attackers deploy multiple RATs (for redundancy and capability diversity), commonly observed are AsyncRAT and variants of PureHVNC or bespoke PowerShell-based RATs; delivery techniques include staged PowerShell, AMSI bypass, process hollowing, and DLL/.NET loaders. (esentire.com, proofpoint.com, esentire.com, esentire.com, wazuh.com, cyberpress.org, silentpush.com, proofpoint.com, proofpoint.com, acronis.com, proofpoint.com, acronis.com, news.sophos.com, acronis.com, news.sophos.com)
Source: Cyber Press Adversaries Leverage Malicious ScreenConnect Installers for Initial Compromise
