ScreenConnect
ScreenConnect, also known as ConnectWise Control, is a legitimate commercial remote management and remote desktop tool that is widely used by IT administrators but is heavily abused by threat actors as a remote access trojan and persistence mechanism. Across the provided reporting, attackers repeatedly delivered preconfigured ScreenConnect installers through phishing, SEO poisoning, malvertising, fake software download sites, ClickFix lures, tax-themed campaigns, fake meeting or document workflows, and post-exploitation deployment after exploitation of edge devices such as NetScaler and Cisco Secure Firewall Management Center. In multiple campaigns, ScreenConnect was installed via MSI packages or repackaged installers, often using DLL sideloading chains, PowerShell downloaders, VBS droppers, or malicious loaders such as SILENTCONNECT. Threat actors also abused both self-hosted ScreenConnect servers and ConnectWise cloud trial instances, generating legitimate ConnectWise-signed installers that auto-enrolled victims into attacker-controlled relays.
The tool was used to establish persistent unattended remote access, hands-on-keyboard control, file transfer, command execution, lateral movement, and as a staging point for additional malware. Reported follow-on payloads and activity included AsyncRAT, cryptocurrency miners such as gminer, lolMiner, and SRBMiner-MULTI, FatMalloc, HwAudKiller, Tactical RMM, MeshAgent, QEMU-based post-exploitation environments, credential dumping, Azure and Microsoft cloud control-plane abuse, and potential ransomware staging. Several reports explicitly note that attackers deploy ScreenConnect alongside other RMM tools or custom implants to maintain redundant access.
Associated threat actors and clusters mentioned in the content include MERCURY/Mango Sandstorm, Storm-2949, Interlock ransomware operators, TA583, TA2725, UAC-0050, ZPHP-linked activity, and multiple unknown financially motivated or phishing operators. Targeting described in the content spans enterprise users, tax preparers, accountants, organizations in sectors such as financial services, healthcare, education, manufacturing, retail, technology, government, transportation, and users seeking popular software utilities or tax documents.
High-confidence indicators and artifacts directly mentioned in the content include attacker-controlled or abused ScreenConnect infrastructure such as 185.241.208[.]243:9090, 80.76.49[.]161:8040 and :8041, 193.42.11[.]108 with host parameter directdownload[.]icu, bumptobabeco[.]top:8041, meeting.bulletmailer[.]net:8041, instance-w08c5r-relay.screenconnect.com, instance-lh1907-relay.screenconnect[.]com, and multiple cloud relay instances including instance-lssdvv, instance-i3onzo, instance-q6uelv, instance-y9neh7, instance-ig2xes, instance-jsdbls-relay.screenconnect[.]com, instance-wj25xo-relay.screenconnect[.]com, and instance-rith2x-relay.screenconnect[.]com. File and path artifacts mentioned include ScreenConnect.ClientSetup.msi, ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client, %ProgramFiles%\Windows Service, and service names such as AppMgmt and deceptive names such as Microsoft Update Service. Persistence-related artifacts directly cited include ScreenConnect Windows services, SafeBoot registration, Windows Authentication Package and Credential Provider registration, and registry/service paths under HKLM\SYSTEM\ControlSet001\Services\ScreenConnect Client [client identifier].
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
First observed in February 2026, the STAC3725 campaign exploits the CitrixBleed2 vulnerability (CVE-2025-5777) to gain access and then installs a malicious ScreenConnect client to maintain persistence.
...Fortinet FortiClient EMS... exploited... The vulnerability in question is CVE-2023-48788... SQL injection...
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MERCURY operators include links to or directly attach commercial remote access tools, such as ScreenConnect, in these initial phishing mails.
The operator establishes endpoint persistence via two legitimately-signed RMMs deployed in parallel: ConnectWise ScreenConnect from attacker infrastructure at 185.241.208[.]243:9090 ... MALWARE ScreenConnect / ConnectWise (legitimate build abused via deployment vector), Evilconwi (Malpedia family alias for the Storm-2949 ScreenConnect variant)
In 2024, Proofpoint researchers observed a notable increase in the use of RMM tools from cybercriminal threat actors in documented campaigns, including using payloads such as ScreenConnect, Fleetdeck, and Atera.
In 2024, Proofpoint researchers observed a notable increase in the use of RMM tools from cybercriminal threat actors in documented campaigns, including using payloads such as ScreenConnect, Fleetdeck, and Atera.
In many cases, victims were prompted to download remote monitoring and management tools such as LogMeIn, AnyDesk or ScreenConnect, giving attackers persistent access to compromised systems.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniquesauthorities warn the same tactics could be used by APT actors in order to gain persistence within a network.
That link leads to a compromised WordPress website hosting a convincing fake Adobe page designed to trick users into triggering a malware download without realizing it.
The campaign works by sending phishing emails that look like legitimate Adobe Document Cloud file-sharing notifications. Victims are told a confidential project document has been uploaded to Adobe Document Cloud and are given a link to view it.
The intrusion chain likely begins with a social engineering or phishing-based delivery mechanism distributing a malicious PowerShell payload disguised as a legitimate JPEG image file named sysupdate.jpeg through phishing emails, malicious attachments, deceptive cloud-sharing links, fake software updates, or user-driven download interactions.
MuddyWater began using "fully signed" and legitimate RMM tools as part of its attack chain in 2020, often by including links in phishing emails designed to trick victims into downloading and executing RMM installers.
Execution
2 techniquesThe malware uses the root\SecurityCenter2 namespace to silently retrieve installed security product names, executable paths, and operational states.
DLL sideloading (T1574.001) is a technique in which attackers place a malicious DLL in a location that a legitimate application will load instead of the expected library... Among these is a malicious libvlc.dll, which, as a core dependency of vlc.exe, is sideloaded early in the application's execution. | Because Windows searches for DLLs in specific directories, the malicious DLL is loaded and executed when the trusted program starts.
Persistence
2 techniquesPrivilege Escalation
3 techniquesauthorities warn the same tactics could be used by APT actors in order to gain persistence within a network.
Additional functions such as CreateProcessAsUser() and CreateRemoteProcess() capable of launching processes under alternate user tokens or remote sessions, alongside token manipulation APIs including DuplicateToken(), ImpersonateLoggedOnUser(), and EnableCurrentProcessPrivilege().
Stealth
7 techniquesFile names are customized to match the victim’s business context, such as using a company name in the installer file, making the download appear even more legitimate at first glance.
authorities warn the same tactics could be used by APT actors in order to gain persistence within a network.
Additional functions such as CreateProcessAsUser() and CreateRemoteProcess() capable of launching processes under alternate user tokens or remote sessions, alongside token manipulation APIs including DuplicateToken(), ImpersonateLoggedOnUser(), and EnableCurrentProcessPrivilege().
The malicious DLL then uses msiexec.exe to silently install another malicious file named vcredist_x64.dll, disguised as a Visual C++ Redistributable package.
The malware additionally evaluates processor counts, machine manufacturers, and virtual machine indicators to identify sandboxed or virtualized analysis environments and reduce exposure to automated malware analysis systems.
Persistence T1564.001 Hide Artifacts: Hidden Files and Directories Hidden staging inside C:\Systems and invisible accounts using showInLogon=false
DLL sideloading (T1574.001) is a technique in which attackers place a malicious DLL in a location that a legitimate application will load instead of the expected library... Among these is a malicious libvlc.dll, which, as a core dependency of vlc.exe, is sideloaded early in the application's execution. | Because Windows searches for DLLs in specific directories, the malicious DLL is loaded and executed when the trusted program starts.
Credential Access
2 techniquesCredential Provider interception through named pipe IPC communication... The malware installs itself into the Windows authentication workflow and silently monitors login activity.
Discovery
4 techniquesThe collected information includes: Logged-on usernames Active Directory domains Hostnames Operating system versions CPU model information Installed memory MAC addresses Internal IP addresses Hardware serial numbers Timezone information Last boot timestamps Raw screenshot data
The malware implements a multi-layer inheritance chain named GuestInfoMessage1-4 responsible for extensive victim profiling... The collected information includes: Logged-on usernames Active Directory domains...
The malware additionally evaluates processor counts, machine manufacturers, and virtual machine indicators to identify sandboxed or virtualized analysis environments and reduce exposure to automated malware analysis systems.
A second script named <Random-Text>run.cmd launches a hidden PowerShell command leveraging WMI to enumerate installed antivirus solutions... using the root\SecurityCenter2 namespace.
Lateral Movement
1 techniqueMalicious actors are using remote management and monitoring software to launch phishing attacks against federal employees... The attacks have leveraged otherwise legitimate RMM tools like ScreenConnect — now ConnectWise Control — and AnyDesk
Collection
4 techniquesCredential Provider interception through named pipe IPC communication... The malware installs itself into the Windows authentication workflow and silently monitors login activity.
Credential Access T1056.001 Input Capture: Keylogging LowLevelKeyboardHooker leveraging SetWindowsHookEx()
Recovered capabilities include: Real-time screen monitoring Continuous video recording... Figure 14 Decompiled SessionConnectionInfoAttributes capability flags exposing extensive attacker functionality including real-time screen surveillance.
Recovered capabilities include: ... Microphone surveillance ... Extensive Surveillance Features: The framework supported ... microphone interception, speaker audio capture.
Command and Control
4 techniquesEncrypted Command-and-Control: The malware established encrypted communications with attacker-controlled infrastructure hosted on legitserver.theworkpc[.]com over non-standard ports (5443 and 8041).
abuse this trusted software to transfer secondary malicious components directly
this helper module installs a packaged version of the commercial tool ScreenConnect ... abuse this trusted software to transfer secondary malicious components directly
Analysis confirmed that the malware uses a custom PBKDF2/HMAC-SHA256 based iterative key derivation mechanism to generate independent encryption keys and initialization vectors for inbound and outbound traffic channels.
Exfiltration
1 techniqueRMM has become a more prominent vector for initial access, persistence, and data exfiltration
Impact
1 techniqueThe SetSafeModeReboot() routine enables forced reboots into Safe Mode, where many security tools and endpoint protection solutions become inactive.
IOCs tracked for this family
157 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
47 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Легитимный инструмент удаленного администрирования, который в этой кампании устанавливался для получения долговременного удаленного доступа к устройствам жертв.
A legitimate remote management tool abused by the attackers to establish persistent remote access on compromised systems, transfer additional payloads, and potentially enable follow-on activity such as data theft, lateral movement, or ransomware.
A legitimate remote management tool abused by the threat actor to establish persistent remote access, transfer payloads such as SimpleRunPE.exe, and support follow-on malicious activity.
A legitimate remote management tool abused in this campaign to establish persistent remote access, transfer files, and support hands-on-keyboard activity that could enable data theft, lateral movement, or later ransomware activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.