Ddos 
Attack chain for the ScreenConnect deployment | Image: ThreatLabz
Security researchers have uncovered a sophisticated new threat that turns the simple act of downloading a document reader into a high-stakes security breach. In February 2026, Zscaler ThreatLabz identified a complex attack chain that leverages a fake Adobe Acrobat Reader download to quietly install ConnectWiseβs ScreenConnectβa legitimate remote access toolβfor malicious ends.
The campaign is notable not for a single groundbreaking exploit, but for its masterful use of obfuscation and in-memory execution to remain invisible to traditional security tools.
The primary goal of the attackers appears to be evasion. By executing the payload directly in memory, the threat avoids creating the traditional on-disk artifacts that many security solutions rely on for detection and analysis.
According to the ThreatLabz analysis, “The attack uses .NET reflection to keep payloads in memory only, which help it evade signature-based defenses and hinder forensic examination”. This “fileless” approach means there is significantly less evidence for incident responders to find once a system has been compromised.
Beyond simple in-memory execution, the loaders themselves are heavily protected against analysis. Researchers noted that the “attack uses heavy obfuscation and direct in-memory execution to deploy ScreenConnect”.
A key component of this defense is a specialized VBScript loader designed to bypass security sandboxes. This loader “dynamically reconstructs strings and objects at runtime to defeat static analysis and sandboxing”. By building its commands on the fly, the malware ensures that any security software looking at the code before it runs sees only a jumble of nonsensical data.
Once the initial lure is successful, the attack chain focuses on consolidating control. It utilizes a known but effective method to gain administrator rights without ever alerting the user. Specifically, “Auto-elevated Component Object Model (COM) objects are abused to bypass User Account Control (UAC) and run with elevated privileges without user prompts”.
Furthermore, the attackers manipulate how the operating system perceives the running malware. Through “Process Environment Block (PEB) manipulation,” the malware can “masquerade the loaders running Windows process, helping it blend in and avoid endpoint detection and response (EDR) alerts”.
This incident highlights a growing and dangerous trend where legitimate, professional software like ScreenConnect is repurposed by attackers. While these tools are essential for IT support and remote work, their power makes them highly attractive for malicious use when delivered through such a stealthy mechanism.
As ThreatLabz concludes, while ScreenConnect is a legitimate tool, this chain demonstrates it “can be leveraged for malicious purposes”.
Security teams are advised to monitor for unusual VBScript activity and to audit the authorized use of remote access tools within their environments to ensure they are not being leveraged as a backdoor.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
