Ddos 
The Acronis Threat Research Unit (TRU) has released new findings on an evolving cyber campaign that abuses ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool, to deliver multiple remote access trojans (RATs). Since March 2025, researchers have observed a marked increase in attacks targeting U.S.-based organizations.
According to TRU, “what we’re seeing is a long-term, ongoing trend in RMM tool abuse that continues to draw attackers, perhaps due to how effective it is.”
The attacks begin with maliciously modified ScreenConnect installers disguised as official documents. One observed sample, agreement_support-pdf.Client.exe, was downloaded via Microsoft Edge and presented itself as a legitimate support file.
As the report notes, “this file is a ClickOnce installer, disguised as a legitimate support document — a social engineering method often used to trick users into running untrusted code.”
Unlike older versions, these ClickOnce runners do not contain embedded configuration. Instead, they fetch components from an attacker-controlled server at runtime. This design significantly hinders traditional detection methods. “The only two reliable prevention methods remaining would be blacklisting the C2 domain (which is difficult to know in advance), or blocking ScreenConnect entirely,” the researchers warn.
Once ScreenConnect is installed, its automation features are abused to instantly deploy two RATs:
- AsyncRAT – a popular open-source RAT used by both penetration testers and cybercriminals.
- A custom PowerShell-based RAT – developed by the attacker, performing reconnaissance, data exfiltration via Microsoft.XMLHTTP, and leveraging heavy obfuscation.
TRU highlights the redundancy: “This dual deployment may serve as redundancy, tool testing or reflect shared infrastructure among multiple threat actors.”
The initial AsyncRAT payload is noisy, relying on scheduled tasks that reload the malware every minute. Weeks later, attackers adjusted their chain, using batch and VBS loaders to drop encoded .NET assemblies (Obfuscator.dll and logs.ldr). This reduced detection risk and refined persistence.
The report explains, “persistence is achieved through a scheduled task named ‘Skype Updater,’ configured to execute Ab.vbs at user logon.”
Further evolution introduced PureHVNC RAT, delivered via WMI and process hollowing techniques. This RAT allowed attackers to stealthily inject payloads into trusted processes like RegAsm.exe and maintain hidden control.
The malicious installers often carry names that mimic social security or financial documents. Examples include:
- Social_Security_Statement_Documents_386267.exe
- SSADocumentViewer-nXpJ2.exe
- 2024 BUSINESS SCHEDULE COMPLETE ORGANIZERpdf.exe
TRU also discovered that attackers reused preconfigured Windows Server 2022 VMs with consistent hostnames (e.g., WIN-BUNS25TD77J, COPY-OF-VM-2022), enabling rapid redeployment across campaigns.
By abusing ScreenConnect, adversaries gain privileged access that blends in with everyday administration. The addition of multiple RATs, obfuscation, and evolving persistence methods demonstrates a highly adaptive threat.
As Acronis TRU notes, “abuse of RMM software such as ScreenConnect is becoming increasingly common, adding to the growing list of legitimate tools repurposed for malicious activity.”
Related Posts:
- New Phishing Campaign Deploys PureHVNC and Other Malware, Targets Sensitive Data
- PureHVNC RAT Spreads Through Fake Job Offers and Multi-Stage Obfuscation
- Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
- ScreenConnect Abuse: Hackers Leverage Remote Access Tool for Healthcare Intrusion
- CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
