EvilConwi: Hackers Abuse Signed ConnectWise Installers to Launch Stealth Remote Access Attacks
Ddos 
Threat actors have begun weaponizing legitimately signed ConnectWise ScreenConnect installers, hijacking the trust of signed software to deploy malware that masquerades as system updates or popular tools.
Researchers Lance Go and Karsten Hahn at G DATA have detailed a sharp rise in these deceptive deployments, identifying the campaign as βEvilConwi.β It exploits Authenticode stuffing to embed attacker-controlled settings and content into ConnectWise binariesβwithout invalidating their digital signature.
Attack chains typically begin with phishing emails that lure victims into clicking links under the guise of a document or tool. One notable case began with a OneDrive link, redirected through Canva, and ultimately triggered the download of a maliciously modified ConnectWise installer.
Victims report:
- Fake Windows Update screens
- Unresponsive mouse activity
- Silent background access by attackers
The attackers rely on a deceptive but technically valid method known as Authenticode stuffingβembedding data in a way that doesn’t disrupt the digital signature.
βConnectWise has unauthenticated attributes which should not be thereβ¦ these unsigned values can store arbitrary data such as campaign IDs or images,β the researchers explains.
G DATAβs comparison of benign vs. malicious installers revealed that while section hashes remain identical, certificate tables differ, allowing threat actors to:
- Modify launch parameters (URLs, ports, silent install flags)
- Inject custom icons (e.g., Google Chrome)
- Override UI elements with fake update messages or backgrounds
- Hide remote access indicators
Using a custom Python script, researchers extracted configuration values from the certificate table. Malicious samples included:
- Silent: False β to allow visible bait messages
- App title changed to βUpdating Windowsβ
- Fake update images embedded to delay system shutdown
- Icons swapped to mimic Chrome
- Stealth settings like disabling system tray icons
These details show how attackers control not just the delivery method, but the visual deception used to retain access.
Cases documented on BleepingComputer and Reddit show consistent patterns: people being infected after downloading utilities from phishing sites or malicious Facebook ads. Most antivirus solutions, as of May 2025, still failed to detect these implants.
Related Posts:
- Roku Experiences Second Data Breach Incident Affecting Over Half a Million Accounts
- Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
- CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted
- 34 tech firms signed “Cybersecurity Tech Accord” agreement that does’nt support government hacking operations
- ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
