Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

ConnectWise

ConnectWise (ATT&CK S0591) is described in the provided content as a remote access tool that adversaries can abuse on compromised hosts. Reported capabilities include executing PowerShell commands on target machines, taking screenshots, and recording video on remote hosts. The content also notes that ConnectWise is a legitimate, signed remote access tool whose binaries and network communications can blend into normal administrative traffic, making detection difficult, particularly where IT teams also use the software legitimately. It is explicitly associated with the ATT&CK techniques Command and Scripting Interpreter: PowerShell, Screen Capture, and Video Capture. The content further states that GOLD SOUTHFIELD has used ConnectWise to obtain screen captures from victim machines. No specific infection vector or concrete IOC values are provided in the source material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence3

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Initial Access

1 technique
T1078.004Cloud AccountsEvidence1

credential-phishing serves as the initial-access vector, with a "technical interview" social-engineering pretext during which the operator drives an MFA-fatigue / SSPR-rotation sequence to seize Microsoft Entra ID accounts.

Execution

2 techniques
T1059.001PowerShellEvidence3

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

T1569.002Service ExecutionEvidence1

MITRE ATT&CK Mapping ... Execution System Services: Service Execution T1569.002 RMM agents install as system services

Persistence

1 technique
T1078.004Cloud AccountsEvidence1

credential-phishing serves as the initial-access vector, with a "technical interview" social-engineering pretext during which the operator drives an MFA-fatigue / SSPR-rotation sequence to seize Microsoft Entra ID accounts.

Privilege Escalation

1 technique
T1078.004Cloud AccountsEvidence1

credential-phishing serves as the initial-access vector, with a "technical interview" social-engineering pretext during which the operator drives an MFA-fatigue / SSPR-rotation sequence to seize Microsoft Entra ID accounts.

Stealth

2 techniques
T1036.005Match Legitimate Resource Name or LocationEvidence1

MITRE ATT&CK Mapping ... Defense Evasion Masquerading: Match Legitimate Name or Location T1036.005 RMM binaries are legitimate vendor software

T1078.004Cloud AccountsEvidence1

credential-phishing serves as the initial-access vector, with a "technical interview" social-engineering pretext during which the operator drives an MFA-fatigue / SSPR-rotation sequence to seize Microsoft Entra ID accounts.

Discovery

1 technique
T1082System Information DiscoveryEvidence1

Atera: Capabilities: Remote desktop access, provided through Splashtop (default) or other supported RMM software Execute commands through PowerShell or command prompt terminal Gather system information

Lateral Movement

1 technique
T1021Remote ServicesEvidence3

The content references repeated use of remote administration and remote execution tools such as PsExec, AnyDesk, Atera, ConnectWise, RemoteUtilities, SimpleHelp, PcShare, VNC, and commodity remote access tools.

Collection

2 techniques
T1113Screen CaptureEvidence2

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

T1125Video CaptureEvidence2

Agent Tesla can access the victim’s webcam and record video. AsyncRAT can record screen content on targeted systems. Bandook has modules that are capable of capturing video from a victim's webcam. ... ZxShell has a command to perform video device spying.

Command and Control

3 techniques
T1090.003Multi-hop ProxyEvidence1

MITRE ATT&CK Mapping ... Command and Control Proxy: Multi-hop Proxy T1090.003 ConnectWise cloud relays proxy through OVH backend servers

T1105Ingress Tool TransferEvidence1

RMM tools often enable file sharing between compromised machines and those of attackers, as well as the execution of arbitrary commands. These features empower attackers to easily drop and execute additional tools or malware, or exfiltrate data.

T1219Remote Access ToolsEvidence8

T1219 MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cofense blogNews
Dec 4, 2025
2026 Phishing Threat Predictions: 5 Key Takeaways

Legitimate remote access tool increasingly abused by attackers as a stealthy method for remote access and persistence, blending in with normal IT operations and evading detection.

Read more
mitre attack websiteNews
Aug 4, 2020
GOLD SOUTHFIELD, Pinchy Spider, Group G0115 | MITRE ATT&CK®

The content lists ConnectWise as software associated with PowerShell execution, screen capture, and video capture capabilities.

Read more
mitre attack websiteNews
Nov 19, 2019
Command and Scripting Interpreter: PowerShell, Sub-technique T1059.001 - Enterprise | MITRE ATT&CK®

Remote administration software that can execute PowerShell commands on target machines.

Read more
mitre attack websiteNews
Mar 7, 2018
Video Capture, Technique T1125 - Enterprise | MITRE ATT&CK®

Remote administration tool that can record video on remote hosts.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.