A Silent Threat: How a Stealthy Campaign Is Stealing ScreenConnect Credentials for Ransomware

The Mimecast Threat Research team, led by Samantha Clarke, has exposed an ongoing credential harvesting campaign (designated MCTO3030) that has been quietly targeting ScreenConnect cloud administrators since 2022. What makes this campaign particularly concerning is its connection to ransomware operations, with strong indications that compromised credentials are being funneled to ransomware affiliates for large-scale attacks.

Mimecast researchers report that the operation has displayed “remarkable operational security through low-volume distribution that has allowed it to operate largely undetected.”

The attackers focus on high-value targets: senior IT professionals, system administrators, directors, and security staff with ScreenConnect super administrator privileges. These credentials are particularly dangerous, since they “provide comprehensive control over remote access infrastructure across entire organizations.”

The campaign employs spear phishing emails distributed via Amazon Simple Email Service (SES) accounts. This choice provides attackers with trusted infrastructure, high deliverability, and low cost, making it more difficult for traditional email filters to block the messages.

The phishing flow follows a clear pattern:

1. Initial Contact – Victims receive spear phishing emails, often claiming suspicious login activity.
2. Social Engineering – Messages urge them to click a “Review Security” button.
3. Credential Capture – The link directs users to fake ScreenConnect portals, hosted on lookalike country-code TLD domains.
4. Adversary-in-the-Middle (AITM) – Using the EvilGinx framework, attackers capture both credentials and MFA tokens in real time.
5. Account Compromise – Super admin accounts are hijacked.
6. Lateral Movement – Attackers can deploy malicious ScreenConnect clients across multiple endpoints.

Mimecast explains: “The phishing pages employ sophisticated adversary-in-the-middle (AITM) techniques using the EvilGinx framework… allowing the attackers to bypass modern authentication protections and maintain persistent access.”

Perhaps the most alarming aspect is the campaign’s link to ransomware. According to Mimecast, “Research from Sophos indicates similar ScreenConnect targeting by Qilin ransomware affiliates, suggesting these credential harvesting activities serve as initial access vectors for subsequent ransomware deployment.”

With stolen super admin credentials, attackers can push malicious ScreenConnect instances across an organization, enabling rapid lateral movement and mass ransomware distribution.

The attackers have consistently used ScreenConnect-themed domains with country-code TLDs, reinforcing the illusion of legitimacy. Their infrastructure shows a disciplined model, with multiple years of activity proving the approach remains effective.

Mimecast highlights that Amazon SES accounts used in this campaign are often created with compromised credentials or purchased from underground markets, further reducing detection risks.

The campaign is global in scope, with organizations across industries and regions being targeted. However, its focus remains laser-sharp: individuals with the highest levels of ScreenConnect privileges.

Mimecast concludes: “The persistent nature of this campaign and its connection to ransomware operations make it a significant threat to organizations relying on ScreenConnect for remote access management.”

Related Posts:

• ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
• Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
• Threat Actors Continue to Exploit Legitimate RMM Tool ScreenConnect
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect
• Phishing Campaign Targets Crypto & Healthcare with ScreenConnect