Federal Employees Hit by Phishing Campaign Abusing ScreenConnect and AnyDesk
CISA, the NSA, and MS-ISAC warned that a financially motivated phishing campaign targeted U.S. federal civilian executive branch personnel by abusing legitimate remote monitoring and management tools, notably ScreenConnect and AnyDesk. Help desk-themed phishing emails and typosquatted domains impersonating brands including Norton, Geek Squad, Amazon, Microsoft, McAfee, and PayPal lured victims into downloading portable RMM executables that often required no installation or administrator privileges, giving attackers remote access to victim systems.
The attackers used that access to run refund scams, manipulating victims’ online bank account views and convincing them to send money back to the fraudsters. The agencies said the same foothold could also support persistence, command and control, lateral movement, or resale of access to other criminal or state-linked actors, and urged defenders to review indicators of compromise, audit RMM usage, monitor execution of portable binaries, restrict remote access pathways, block common RMM ports, and strengthen phishing defenses and user awareness. ConnectWise said legitimate software can be misused by threat actors and that it pursues takedowns of malicious sites when notified.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ConnectWise says it is assisting and pursuing takedowns
Following the advisory, ConnectWise stated that its ScreenConnect software can be misused by threat actors, that it submits takedown requests for malicious sites and domains when alerted, and that it was engaging impacted federal agencies for more information.
CISA, NSA, and MS-ISAC publish joint advisory on RMM abuse
On January 26, 2023, CISA, NSA, and MS-ISAC issued a joint cybersecurity advisory warning that cybercriminals were abusing legitimate RMM software in a widespread campaign against federal networks. The advisory detailed the use of portable executables, refund scam tactics, indicators of compromise, and mitigation guidance for defenders.
CISA identifies the campaign through retrospective EINSTEIN analysis
CISA identified the malicious campaign in October 2022 through retrospective analysis of EINSTEIN data. The activity was linked to phishing emails, typosquatting infrastructure, and brand impersonation themes involving companies including Norton, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.
Phishing campaign abusing RMM tools begins targeting federal personnel
A financially motivated phishing campaign targeting U.S. federal civilian executive branch personnel was active by at least June 2022. The actors used help desk-themed lures to trick victims into downloading legitimate remote monitoring and management tools such as ScreenConnect and AnyDesk.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Protecting Against Malicious Use of Remote Monitoring and Management Software | CISA
cisa.gov
Open sourceCISA: Federal Employees Targeted in Malicious Cyber Threat Campaign Using RMM Software | TechTarget
techtarget.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Mar 21, 2026
Social-engineering campaigns abusing legitimate remote access tools (ScreenConnect and RustDesk)
Two separate social-engineering campaigns are abusing legitimate remote access software to obtain interactive control of victim systems. One phishing operation uses **fake party invitation** emails—often appearing to come from **compromised email accounts**—to lure recipients to a spoofed invitation webpage that pressures them to download and run an `RSVPPartyInvitationCard.msi` installer. Malwarebytes researchers reported the activity primarily targeting the **UK**, with the MSI using `msiexec.exe` to silently install the **ScreenConnect** remote support client, enabling attackers to access files, credentials, and other sensitive data. A different, automated campaign is targeting **RustDesk** users by bombarding exposed RustDesk IDs with unsolicited connection requests labeled **“Go Client”** from many IPs/IDs. The activity is described as **not exploiting a RustDesk vulnerability**; instead it relies on users mistakenly clicking **Accept**, after which the botnet can run scripted actions to deploy additional malware and establish persistence. Recommended mitigations include refusing unexpected connection prompts and configuring RustDesk to require a **password** (and strong credentials) for session acceptance, reducing the risk of one-click authorization leading to takeover.
Apr 25, 2026