Remote monitoring and management (RMM) tools have long served as indispensable assets for IT administrators, providing seamless remote control, unattended access, and scripted automation across enterprise endpoints.
In recent months, security researchers have observed a surge in adversaries repurposing ScreenConnect—a ConnectWise RMM solution—as a clandestine backdoor for initial intrusion and ongoing control.
Emerging from widespread phishing campaigns that prey on compromised credentials, these attacks leverage ScreenConnect’s flexible installer and invite-link mechanisms to slip past traditional defenses with minimal on-disk footprint.
The campaign typically begins with spear-phishing emails masquerading as legitimate IT alerts, enticing recipients to download a bespoke ScreenConnect installer or click an invite link.
.webp "ScreenConnect Abused by Threat Actors to Gain Unauthorized Remote Access to Your Computer 2")
Once executed, the MSI package deploys entirely in memory, sidestepping signature-based antivirus detection and dropping only a transient service binary.
The implanted agent then registers as a Windows service, granting attackers unfettered access to file systems, process execution, and the host’s network stack.
Within hours, threat actors have been observed pivoting laterally, escalating privileges, and exfiltrating sensitive data under the guise of routine maintenance.
Dark Atlas analysts identified that the adversaries customize builder configurations on-the-fly, embedding unique hostnames and encrypted launch keys directly into the client’s system.config file to evade network-based indicators of compromise.
These dynamically generated parameters are mapped in an XML section of ScreenConnect.ApplicationSettings, where malicious domains resolve to attacker-controlled infrastructure.
This tactic not only obfuscates command-and-control channels but also ensures each deployment appears as a distinct operational instance to defenders.
Infection Mechanism and Installer Artifacts
The ScreenConnect installer exploits built-in RMM features to minimize detection while maintaining persistence.
Attackers generate a custom builder from the management console, choosing an MSI or EXE packager depending on the target environment.
When launched, the installer writes a WindowsClient executable and associated DLLs into a benign-looking directory—such as C:ProgramDataScreenConnectClient—before invoking the service with an obfuscated command line.
A typical execution snippet appears as:-
Start-Process -FilePath "msiexec.exe" -ArgumentList "/i ScreenConnect.ClientSetup.msi /qn /norestart" -WindowStyle HiddenUpon installation, the agent creates a system.config XML, storing
Persistence is achieved through the registered Windows service named ScreenConnect ClientService, which relaunches the binary on reboot.
.webp "ScreenConnect Abused by Threat Actors to Gain Unauthorized Remote Access to Your Computer 4")
Memory-only artifacts, such as live chat transcripts and session logs, reside solely in process heaps, necessitating volatile memory capture for forensic recovery.
By combining in-memory execution, custom-config builders, and encrypted launch keys, threat actors transform a legitimate RMM solution into a stealthy remote access Trojan, complicating detection and incident response for security operations teams.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
