Ddos 
SILENTCONNECT attack diagram | Image: Elastic Security Labs
Elastic Security Labs has uncovered a sophisticated new infection chain involving a previously undocumented loader dubbed SILENTCONNECT. This stealthy newcomer is being used in-the-wild to deliver Remote Monitoring and Management (RMM) tools, allowing threat actors to gain “hands-on keyboard access” to victim machines while blending seamlessly into legitimate corporate network traffic.
The campaign is notable for its tactical use of “living-off-the-land” binaries (LOLBins) and its reliance on high-trust infrastructure, specifically Google Drive and Cloudflare, to host malicious payloads.
The attack begins not with a complex exploit, but with a simple social engineering lure. Users are diverted to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation.
As the report details:
“The infection begins when users are diverted to a Cloudflare Turnstile CAPTCHA page under the guise of a digital invitation. After the link is clicked, a VBScript file is downloaded to the machine”.
Once the victim executes this script, the technical heavy lifting begins. The script retrieves C# source code which is compiled and executed directly in memory via PowerShell, a move designed to leave as little forensic footprint as possible on the disk.
The final payload delivered in these campaigns is typically ConnectWise ScreenConnect, a legitimate RMM tool that, in the hands of an attacker, provides total control over the infected system. SILENTCONNECT’s primary job is to ensure this tool is installed without raising any alarms.
Key Technical Features of SILENTCONNECT:
- Defense Evasion: The loader includes specialized code for Windows Defender exclusion and User Account Control (UAC) bypass.
- Low-Level Execution: It leverages NT API calls and PEB masquerading to hide its activities from security monitoring tools.
- Trusted Delivery: By using Google Drive and Cloudflare for hosting, the attackers ensure that “network-based controls are unlikely to block traffic to these services outright”.
The most concerning aspect of this campaign is the abuse of tools that IT departments use every day. Elastic Security Labs notes that because RMM tools like ScreenConnect and Syncro are standard in many environments, they are “typically overlooked and considered ‘trusted’ in most corporate environments”.
This trend of “RMM adoption by threat actors” allows them to maintain persistence and move laterally through a network without needing to write complex, signature-heavy custom malware.
The simplicity and effectiveness of SILENTCONNECT serve as a wake-up call for modern security teams. To defend against these evolving threats, Elastic Security Labs recommends that:
- Organizations must stay vigilant, specifically auditing their environments for any unauthorized or unexpected RMM usage.
- Behavioral Monitoring: Relying on file signatures is no longer enough; teams must monitor for the use of LOLBins (like PowerShell or VBScript) initiating unusual network connections to cloud storage providers.
“As threat actors continue to favor simplicity and stealth over sophistication, campaigns of this nature are likely to persist and evolve”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
