Since March 2025, threat actors have dramatically escalated their abuse of ConnectWise ScreenConnect, deploying trojanized installers and stripped-down ClickOnce runners to turn a trusted remote administration tool into a stealthy initial-access vector for multiple remote access trojans. Multiple independent threat intelligence reports confirm that these campaigns are dropping AsyncRAT, PureHVNC, and bespoke PowerShell RATs on compromised Windows endpoints across U.S. organizations, often establishing persistent, low-noise footholds that evade signature-based defenses.
Security researchers from Proofpoint, Sophos, eSentire, and Acronis have all documented a surge in phishing attacks that weaponize legitimate ScreenConnect binaries. The attackers exploit the very trust that IT teams and managed service providers place in RMM platforms, using social engineering to trick recipients into executing malicious clients that connect to attacker-controlled servers. Once the remote control channel is established, the adversaries leverage ScreenConnect's automation capabilities to move laterally and deploy additional malware with surgical precision.
Phishing Lures and Trojanized Installers
The initial attack vector relies on highly targeted phishing emails disguised as government, financial, or legal correspondence. Common filenames reference “Social Security,” invoice numbers, or contractual agreements. These lures deliver an executable—often named Client.exe—or a link that launches a ClickOnce deployment or a lightweight runner rather than a conventional full installer.
The stripped-down installer is key to the campaign's success. By fetching configuration data from remote attacker-controlled servers at runtime, the payload minimizes static indicators and allows threat actors to rotate command-and-control infrastructure without resigning binaries. This technique frustrates static analysis and traditional antivirus scans. Furthermore, the abuse of Authenticode stuffing—where attackers inject malicious configuration data into the certificate table while preserving the original digital signature—means that signed binaries can no longer be assumed safe. A valid signature is merely a starting point for investigation, not a guarantee of legitimacy.
Once executed, the runner silently registers the endpoint with the attacker’s ScreenConnect server, giving the threat actor full remote access through a legitimate RMM channel. Because ScreenConnect is widely used by IT help desks, the initial connection often blends into normal network traffic, making detection difficult without robust behavioral monitoring.
Technical Deep-Dive: ClickOnce and Authenticode Stuffing
The choice of ClickOnce and lightweight runners represents a deliberate evasion technique. ClickOnce applications, originally designed to simplify enterprise software deployment, can be launched with minimal user interaction and often bypass application whitelisting controls if not properly restricted. Attackers have been seen hosting the ClickOnce manifests on compromised websites or cloud storage platforms, adding an extra layer of indirection that complicates takedown efforts.
Authenticode stuffing builds on this by abusing the Windows code-signing infrastructure. By modifying the certificate table of a legitimate ScreenConnect binary to include their own server configuration, attackers preserve the “trusted” signature verification result. Tools and endpoint detection platforms that rely solely on signature validity checks will incorrectly label the tampered binary as safe. Security teams must pivot to runtime behavior analysis, scrutinizing the remote configuration endpoints that ScreenConnect clients connect to upon execution.
Multi-Stage Payloads: AsyncRAT and PureHVNC
After the ScreenConnect foothold is established, attackers waste no time in deploying a layered infection chain. Forensic analysis reveals a consistent pattern:
- The attacker pushes a staged PowerShell script through the ScreenConnect automation feature.
- This script executes an AMSI bypass to disarm Windows’ antimalware script interface, then decodes and injects payloads directly into memory, avoiding disk writes.
- Scheduled tasks are created to re-establish persistence, with some campaigns configuring frequent reloads to ensure the backdoors survive reboots and partial cleanups.
- Additional loaders—batch scripts, VBS files, or obfuscated .NET assemblies—prepare the ground for the final remote access trojans.
At least two distinct RAT families are deployed for redundancy. AsyncRAT, a commodity trojan, delivers keylogging, file exfiltration, and process injection through loaders that target trusted Windows processes like RegAsm.exe or AppLaunch.exe. This process hollowing technique further obscures the malware’s presence, as the network connections and suspicious activity appear to originate from legitimate Microsoft binaries.
In parallel, attackers are increasingly dropping PureHVNC, a .NET-based hidden-VNC-style RAT that enables interactive remote desktop control over an invisible desktop session. PureHVNC is heavily obfuscated, often employing AES encryption and reflective code loading to defeat on-disk signatures. Detection guidance from tools like Sysmon and Wazuh has become invaluable for hunting these implants.
Some campaigns also introduce custom PowerShell RATs that enumerate installed antivirus products, collect system architecture details, and exfiltrate data via Microsoft.XMLHTTP POST requests. Because these tools are bespoke, signature-based detection is nearly useless; only behavioral analytics and network traffic analysis can reliably spot them.
Infrastructure and Tradecraft
The operational tempo of these campaigns is sustained by agile infrastructure. Attackers rely on cheap VPS providers and bulletproof hosting services, often spinning up pre-configured Windows Server 2022 templates to act as malicious ScreenConnect servers. Forensic telemetry has revealed recurring VM hostnames and template labels, indicating that the same virtual images are recycled across multiple IP addresses to speed up redeployment.
This infrastructure churn gives defenders a narrow window to block or sinkhole C2 domains. The use of legitimate ScreenConnect control panels as a management plane further complicates attribution and takedown efforts. Unlike custom malware C2 panels, ScreenConnect itself is not inherently malicious, making it difficult to flag at the network perimeter without deep packet inspection and behavioral correlation.
Detection and Mitigation Strategies
Security teams must act decisively to detect and contain these threats. The following detection opportunities have proven effective in recent incident response engagements:
- Monitor for unexpected ScreenConnect installations. Any endpoint that suddenly hosts a ConnectWise client outside of a planned deployment should trigger an immediate investigation.
- Audit ScreenConnect automation logs. A surge in automated script executions or the creation of new admin accounts is a strong indicator of compromise.
- Hunt for encoded PowerShell and AMSI bypass patterns. Look for Base64-encoded
-EncodedCommandusage on non-developer workstations, and flag any use ofAdd-Typeor reflection to load .NET assemblies into memory. - Detect process hollowing and injection. Specifically, watch for known legitimate processes (
RegAsm.exe,AppLaunch.exe,notepad.exe) making outbound network connections after a hollowing event. - Scrutinize signed ScreenConnect binaries that fetch remote configs. Validate that the configuration URLs correspond to your organization’s approved RMM infrastructure.
- Block unsigned ClickOnce and installer executions for non-administrators. Restrict execution of ClickOnce manifests from untrusted zones and enforce AppLocker or Windows Defender Application Control.
Containment steps should prioritize isolating infected endpoints, collecting volatile memory for forensic analysis, and rotating all credentials that may have been exposed through the ScreenConnect session. Since the attacks often spread laterally via the same RMM tool, a thorough review of managed endpoints and scheduled tasks across the estate is essential.
The Bigger Picture: RMM Abuse and Zero Trust
The ScreenConnect campaigns are not isolated incidents; they represent a strategic shift toward weaponizing legitimate administrative tooling to bypass traditional defenses. The commoditization of RMM abuse kits on cybercrime forums has lowered the barrier to entry, enabling less sophisticated actors to launch effective attacks. Moreover, MSPs themselves have become prime targets—compromising a single MSP administrator account can provide bulk access to dozens of downstream customers, as seen in high-profile ransomware incidents over the past two years.
Defenders must adopt a zero-trust approach to remote access tooling. The era when a valid digital signature equated to safety is over. Behavioral detection, application allowlisting, and network segmentation are now mandatory countermeasures. Organizations should also pressure their MSPs to implement multi-factor authentication, session recording, and strict least-privilege policies for all RMM access.
Practical Checklist for Windows Administrators
Based on the TTPs observed, Windows shops and MSPs can immediately take these steps:
- Inventory and harden RMM deployments. Identify all ScreenConnect instances (cloud and on-premises), enforce MFA, and remove unused admin roles.
- Lock down ClickOnce execution. Use Group Policy to disable ClickOnce trust prompts or restrict it to signed applications from trusted publishers only.
- Deploy Sysmon and configure alerts. Monitor for process injection events (Event ID 8, 10), suspicious
RegAsm.exebehavior, and frequent scheduled task creation. - Enable Windows Defender Attack Surface Reduction rules. Activate rules that block office applications from creating child processes, prevent credential theft, and restrict executable content from email clients.
- Segment MSP/admin access. Require all RMM sessions to originate from dedicated jump hosts with privileged access workstations (PAWs) configured.
- Establish an incident playbook for RMM compromise. Define forensic procedures for in-memory implants, plan for rapid host isolation, and pre-authorize credential rotation for all potentially exposed accounts.
Conclusion
The sustained abuse of ConnectWise ScreenConnect underscores the evolving threat landscape where trusted tools become double-edged swords. With trojanized installers, ClickOnce runners, Authenticode stuffing, and layered RAT deployments, these campaigns achieve deep persistence while evading conventional defenses. Multi-source vendor intelligence confirms that AsyncRAT, PureHVNC, and custom PowerShell trojans are being delivered through this vector across multiple verticals.
For Windows enthusiasts and IT professionals alike, the message is clear: zero-trust principles must extend to remote management tools. Proactive hunting, behavioral detection, and strict control over RMM usage are no longer optional. The ability to distinguish between legitimate IT support and a stealthy intruder now depends on telemetry that looks beyond signatures—into the very behavior of the tools we depend on daily.