Hackers Persist in Using ConnectWise ScreenConnect Tool to Distribute Malware

Hackers continue to exploit the ConnectWise ScreenConnect remote management and monitoring (RMM) tool to deploy malicious payloads, with a focus on financial organizations.

An independent researcher first reported a potential critical vulnerability in ScreenConnect versions 23.9.7 and prior through the ConnectWise Trust Center’s vulnerability disclosure program.

Malicious Campaigns Targeting Financial Organizations

This flaw has since been leveraged by threat actors, notably in May 2025, as observed by CyberProof Analysts and Threat Hunters.

They identified a wave of attacks utilizing signed malicious droppers, likely tied to the CHAINVERB backdoor associated with the UNC5952 threat group.

These attacks predominantly use phishing emails with invoice themes to trick users into downloading harmful executables.

The exploitation of top-level domains (TLDs) such as .top and anondns.net in command-and-control (C2) infrastructure further amplifies the reach of these eCrime campaigns, signaling a persistent and evolving threat landscape.

Technical Breakdown of the CHAINVERB Backdoor

Delving deeper into the technical intricacies, the CHAINVERB downloader represents a sophisticated tool in the arsenal of cybercriminals.

It exploits digital signatures within Windows executables to embed hidden C2 URLs within certificates, enabling the download and execution of subsequent payloads.

Once installed, often through deceptive filenames mimicking legitimate software like Adobe Reader or Zoom Installer, CHAINVERB deploys the ConnectWise ScreenConnect tool to establish remote desktop sessions with attacker-controlled servers.

This access facilitates internal host reconnaissance and screenshot capture, posing significant risks of data theft and further network compromise.

Specific instances include phishing emails from senders like “russ@oshlaw.com” delivering malicious PDFs with URLs leading to downloads of executables like “Download.exe,” signed fraudulently under “ConnectWise, LLC.”

Telemetry data also revealed C2 communications to domains such as kasin22.anondns.net and yertoje.uzhelp.top, alongside malicious webpages impersonating customer support portals to distribute droppers named Support.Client (1).exe.

ConnectWise acknowledged a potential breach by a nation-state threat group on May 28, 2025, currently under investigation by Mandiant, though direct links to these specific observations remain under review.

According to the Report, Organizations are urged to adopt robust threat hunting practices and upgrade to patched versions (23.9.8 or later) following specified upgrade paths to mitigate risks, alongside implementing CISA-recommended defenses against phishing and unauthorized RMM software use.

This table provides a snapshot of key IOCs associated with the campaign, aiding defenders in identifying and blocking malicious activities tied to these attacks.

Continued vigilance and updates from ongoing investigations will be critical to curbing this threat.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.