A new spear phishing campaign that weaponizes a forgotten file type to bypass modern defenses. Attackers are luring victims into downloading Windows screensaver (.scr) files, which silently deploy legitimate Remote Monitoring and Management (RMM) software to establish persistent control over targeted systems.
The campaign utilizes a simple yet effective delivery mechanism designed to evade reputation-based detection.
It begins with a spear phishing email containing a business-themed lure, such as “InvoiceDetails.scr” or “ProjectSummary.scr.”
These files are hosted on public file-sharing platforms like GoFile, allowing the malicious links to bypass standard email security gateways that might flag direct attachments or known malicious domains.
To the average user, a screensaver file appears harmless. However, in the Windows environment, a .scr file is technically a Portable Executable (PE) functionally identical to an .exe file. When the user double-clicks a file in their Downloads folder, the code executes immediately.
Weaponizing Legitimate RMMs
ReliaQuest observed custom malware that endpoint detection systems might instantly recognize, this campaign installs a legitimate RMM agent, such as SimpleHelp.
This “Living off the Land” approach is dangerous for two reasons:
- Evasion: Security tools often trust RMM software because it is widely used by IT departments for legitimate support. The installation does not generate the typical “malware” signals.
- Persistence: Once installed, the RMM tool provides attackers with interactive, durable remote access that survives system reboots.
From this foothold, attackers can blend in with normal network traffic while they escalate privileges, steal credentials, exfiltrate sensitive data, or prepare the environment for a ransomware deployment.
Defensive Priorities
This campaign highlights a critical gap in many security postures: the lack of strict governance over executable file types and remote support tools.
To defend against this threat, organizations must shift their perspective on what constitutes a “privileged” application.
Key mitigation strategies include:
- Restrict .SCR Execution: Treat screensaver files with the same scrutiny as .exe or .msi files. Configure Application Control policies (such as AppLocker or Windows Defender Application Control) to block the execution of .scr files from user-writable directories like Downloads, Temp, and Desktop.
- Enforce RMM Allowlists: Maintain a strict allowlist of authorized remote management software. Any RMM tool not on this list should be blocked by default.
- Monitor for Artifacts: Security teams should alert on the creation of unexpected scheduled tasks, services, or folders in ProgramData that correlate with unknown RMM vendors.
By tightening controls on overlooked file extensions and monitoring for unauthorized remote access tools, defenders can break this attack chain before attackers can pivot to their final objectives.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.