#connectwise — Public Fediverse posts

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION

A sophisticated multi-stage intrusion campaign was identified leveraging a weaponized PowerShell payload disguised as a JPEG image file (sysupdate.jpeg) to deploy a trojanized ConnectWise ScreenConnect instance for covert remote access. The attack likely originates through social engineering techniques including phishing emails or malicious attachments. Upon execution, the malware establishes a staging environment, retrieves additional payloads from attacker-controlled infrastructure, and dynamically compiles a custom launcher using Microsoft's legitimate .NET compiler (csc.exe) to evade detection. The intrusion abuses ComputerDefaults.exe and a malicious ms-settings registry hijack to perform a fileless UAC bypass and obtain elevated privileges. Once elevated, the malware deploys a persistent service masquerading as OneDriveServers and launches a modified ScreenConnect framework capable of credential interception, remote command execution, surveillance operations, SYSTEM-level execution, encrypted command...

Pulse ID: 6a008382641183db3b20fef5
Pulse Link: https://otx.alienvault.com/pulse/6a008382641183db3b20fef5
Pulse Author: AlienVault
Created: 2026-05-10 13:09:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Email #InfoSec #Malware #Microsoft #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RCE #RemoteCommandExecution #ScreenConnect #SocialEngineering #Trojan #Troll #bot #AlienVault

#CISA-Warnung: Angriffe auf #ConnectWise #ScreenConnect und #WindowsShell | Security https://www.heise.de/news/CISA-Warnung-Angriffe-auf-ConnectWise-ScreenConnect-und-Windows-Shell-11276026.html #exploit #Patchday

CVE Alert: CVE-2024-1708 - ConnectWise - ScreenConnect - https://www.redpacketsecurity.com/cve-alert-cve-2024-1708-connectwise-screenconnect/

#OSINT #ThreatIntel #CyberSecurity #cve-2024-1708 #connectwise #screenconnect

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilities. Notably, the Interlock Ransomware Group exploited CVE-2026-20131, a zero-day deserialization vulnerability in Cisco Secure Firewall Management Center, as early as January 2026 to compromise enterprise networks. The group deployed custom remote access trojans and facilitated ransomware operations through crafted HTTP requests executing arbitrary Java code as root. Additional campaigns involved the DarkSword iOS exploit kit delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads, and the Coruna exploit kit deploying PlasmaLoader malware. Nine vulnerabilities enabled remote code execution across multiple platforms. One vulnerability dated back nine years, emphasizing continued exploitation of legacy unpatched

Pulse ID: 69de0077cbff2dc8d99b17ff
Pulse Link: https://otx.alienvault.com/pulse/69de0077cbff2dc8d99b17ff
Pulse Author: AlienVault
Created: 2026-04-14 08:53:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #ConnectWise #CyberSecurity #Google #HTTP #InfoSec #Java #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #RemoteAccessTrojan #RemoteCodeExecution #Trojan #Vulnerability #Word #ZeroDay #bot #iOS #AlienVault

#ConnectWise #ScreenConnect schließt kritische Zugriffslücke | Security https://www.heise.de/news/ConnectWise-ScreenConnect-schliesst-kritische-Zugriffsluecke-11217173.html #Patchday

#ConnectWise patches new flaw allowing #ScreenConnect hijacking

https://www.bleepingcomputer.com/news/security/connectwise-patches-new-flaw-allowing-screenconnect-hijacking/

#cybersecurity

Fernwartung #ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung | Security https://www.heise.de/news/Fernwartung-ScreenConnect-Kritische-Luecke-ermoeglicht-Schadcodeausfuehrung-11112865.html #ConnectWise #Patchday

ConnectWise Patches Critical Flaw in Automate RMM Tool https://www.securityweek.com/connectwise-patches-critical-flaw-in-automate-rmm-tool/ #Vulnerabilities #vulnerability #ConnectWise #Patch #MitM

Imagine a trusted IT tool letting hackers intercept crucial data and swap out updates like tampered packages. What does this mean for the safety of your systems? Dive into the story behind ConnectWise Automate’s vulnerabilities and the rising threat in RMM security.

https://thedefendopsdiaries.com/connectwise-automate-vulnerabilities-lessons-for-rmm-security-in-an-evolving-threat-landscape/

#connectwise
#rmmsecurity
#supplychainattack
#cybersecurity2025
#aitmattacks

Hackers Abuse ConnectWise to Hide Malware https://www.securityweek.com/hackers-abuse-connectwise-to-hide-malware/ #Malware&Threats #ConnectWise #malware

Hackers Abuse ConnectWise to Hide Malware https://www.securityweek.com/hackers-abuse-connectwise-to-hide-malware/ #Malware&Threats #ConnectWise #malware

ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks
#ConnectWise
https://thehackernews.com/2025/06/connectwise-to-rotate-screenconnect.html

ConnectWise to Rotate Code-Signing Certificates – Source: www.darkreading.com https://ciso2ciso.com/connectwise-to-rotate-code-signing-certificates-source-www-darkreading-com/ #rssfeedpostgeneratorecho #DarkReadingSecurity #CyberSecurityNews #ConnectWise #DARKReading

Connectwise is rotating code signing certificates. What happened? https://www.helpnetsecurity.com/2025/06/11/connectwise-is-rotating-code-signing-certificates-what-happened/ #securityupdate #certificates #ConnectWise #CyberProof #Don'tmiss #Hotstuff #News #LUMU

ConnectWise is rotating code signing certificates. What happened?

https://www.helpnetsecurity.com/2025/06/11/connectwise-is-rotating-code-signing-certificates-what-happened/

#Cybersecurity #Connectwise

What a wonderful thing to find out while on vacation that my phone is blowing up because a news article about #ConnectWise published yesterday (https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-signing-certificates-over-security-concerns/) referenced something I posted here in April (https://infosec.exchange/@threatresearch/114315246724920453). (Thanks, Bill ❤️ & @BleepingComputer)

#ConnectWise is changing server certificates on June 10, 2025, client updates required, although some updates still not ready.

https://borncity.com/win/2025/06/09/connectwise-updates-server-certificates-update-your-software-before-june-10-2025/

Nutzt wer #ConnectWise Produkte? Die wechseln die Zertifikate zum 10.6.2025, also updaten (wobei die Produkte noch nicht alle aktuell sind).

https://www.borncity.com/blog/2025/06/09/connectwise-screenconnect-dringend-vor-dem-10-juni-2025-updaten/

Angriffe laufen: #Connectwise, #CraftCMS und #Asus-Router im Visier | Security https://www.heise.de/news/Warnung-vor-Angriffen-auf-Connectwise-Craft-CMS-und-Asus-Router-10424978.html #Patchday

IT-Vorfall bei #Connectwise: Staatliche Cyberkriminelle eingebrochen | Security https://www.heise.de/news/IT-Vorfall-bei-Connectwise-Staatliche-Cyberkriminelle-eingebrochen-10425193.html #CyberCrime

Attackers breached ConnectWise, compromised customer ScreenConnect instances https://www.helpnetsecurity.com/2025/06/02/attackers-breached-connectwise-compromised-customer-screenconnect-instances/ #government-backedattacks #cyberespionage #remoteaccess #ConnectWise #techsupport #Don'tmiss #Hotstuff #News #MSP

ConnectWise Breached, ScreenConnect Customers Targeted – Source: www.darkreading.com https://ciso2ciso.com/connectwise-breached-screenconnect-customers-targeted-source-www-darkreading-com/ #rssfeedpostgeneratorecho #DarkReadingSecurity #CyberSecurityNews #ConnectWise #DARKReading

ConnectWise customers get mysterious warning about ‘sophisticated’ nation-state hack – Source: go.theregister.com https://ciso2ciso.com/connectwise-customers-get-mysterious-warning-about-sophisticated-nation-state-hack-source-go-theregister-com/ #rssfeedpostgeneratorecho #TheRegisterSecurity #CyberSecurityNews #ConnectWise #TheRegister

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor – Source: securityaffairs.com https://ciso2ciso.com/connectwise-suffered-a-cyberattack-carried-out-by-a-sophisticated-nation-state-actor-source-securityaffairs-com/ #ConnectWiseScreenConnect #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #ConnectWise #hackingnews

ConnectWise says nation-state attack targeted multiple ScreenConnect customers
#ConnectWise #CVE_2024_1709
https://therecord.media/connectwise-nation-state-attack-targeted-some-customers

ConnectWise Hit by Cyberattack; Nation-State Actor Suspected in Targeted Breach – Source:thehackernews.com https://ciso2ciso.com/connectwise-hit-by-cyberattack-nation-state-actor-suspected-in-targeted-breach-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #ConnectWise

ConnectWise Confirms Hack, “Very Small Number” of Customers Affected – Source: www.infosecurity-magazine.com https://ciso2ciso.com/connectwise-confirms-hack-very-small-number-of-customers-affected-source-www-infosecurity-magazine-com/ #rssfeedpostgeneratorecho #InfoSecurityMagazine #InfosecurityMagazine #CyberSecurityNews #ConnectWise

ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/ #Cybersecurity #ScreenConnect #ConnectWise #FleetDeck #Security #Malware #TROJAN #RAT

Last week I posted a thread about a #spam campaign delivering a #ConnectWise client as its payload. As of this morning, the threat actors have changed the payload (https://www.virustotal.com/gui/file/30e1d059262b851a2b432ec856aeba5bb639ba764aa85643703163d62000a2f4) and it appears to try to connect to the address "relay.noscreener[.]info" which resolves to 104.194.145.66.

Embedded in the installer .msi file is a file called system.config, which contains this domain name and a base64-encoded string.

The fake Social Security website is still being hosted on a compromised site that belongs to a temp agency based on the east coast of the US.

Previous thread:

https://infosec.exchange/@threatresearch/114315246724920453

#malware #phishing #malspam

However, because this attack has been going on for two weeks, some endpoint protection tools (well, about a third of them) are catching on that this particular file is bad, and should feel bad.

https://www.virustotal.com/gui/file/13d71b884a0625f3aa3805fb779d95513d0485671ab8c090a0c790ceda071e63

The most important lesson here is that attackers always come up with new ways to evade detection. Using a commercially available, normally legitimate remote access tool with a valid cryptographic signature lets the attacker bypass some kinds of endpoint detection.

Remember to check the From: address in emails, and the destination of any links they point to. You can do this by hovering your mouse over the link without clicking, and waiting a second. If it says it's from the SSA, but it isn't pointing to SSA.gov, then it's a lie.

If you find content like this useful, please follow me here, or on LinkedIn: https://www.linkedin.com/in/andrew-brandt-9603682/

9/fin

#spam #malware #malspam #ConnectWise #attacks

When clicked, the button delivers malware, but it's an unexpected payload: A client installer for the commercial remote-access tool ConnectWise.

Every time I clicked the download link, it gave me the same file with six different random digits appended to the filename. Note that it is not, as the website implies, a PDF document, but a Windows executable file, with a .exe extension.

8/

#malware #spam #malspam #ConnectWise #attacks

This is where I tell you: don't do this! I am a trained professional. I click all the bad links so you don't have to. I am going to show you what happens next.

A button appears on this page, labeled "Access Your Statement." The site serving up this payload delivers a file named "Social Security Statement Documents [six digit random number].exe"

7/

#malware #spam #malspam #attacks #ConnectWise

Finally the target lands on a page on the InMotion site that closely resembles the look-and-feel of the content in the email message.

The page tells the visitor, in part "Download your statement as a PDF file" and "For security reasons, we recommend accessing your statement through your secure device."

Spoiler alert: It was not a PDF file.

(Edit: A reader informs me that this appears to be the hosting space used by the temp agency website, and that for whatever reason, the URL appears differently here.)

6/

#malware #spam #malspam #attacks #ConnectWise

The target's browser then lands on another website, hosted by a large hosting service, InMotion Hosting. As with the temp agency website, the attackers have set up multiple URLs on this site, where the first URL performs a 302 redirect to go to the second URL, for no apparent reason other than to create the URL equivalent of a Rube Goldberg contraption.

5/

#malware #spam #malspam #attacks #ConnectWise

It sometimes pays to run domains that serve purely as spam honeypots. Case in point: A spammer has been delivering a ConnectWise commercial remote access client application as a payload in a scam that uses the purported arrival of a US Social Security statement as its hook.

A 🧵 ...

#ConnectWise #malware #spam #malspam #attacksurface #SocialSecurity #SocialSecurityAdministration #SSA #usgov

Attackers deploying red teaming tool for EDR evasion https://www.helpnetsecurity.com/2024/10/15/edr-evasion-edrsilencer/ #endpointsecurity #threatdetection #BinaryDefense #ConnectWise #SentinelOne #TrendMicro #Don'tmiss #Hotstuff #ExtraHop #Intel471 #Sophos #News

Find out which cybersecurity threats organizations fear the most https://www.helpnetsecurity.com/2024/06/19/cybersecurity-threats-statistics-2024/ #cybersecurity #VeeamSoftware #PingIdentity #ConnectWise #CheckPoint #Proofpoint #Don'tmiss #cyberrisk #Hotstuff #CyberArk #Mimecast #Entrust #Trellix #Code42 #McAfee #report #survey #Jumio #News

Find out which cybersecurity threats organizations fear the most https://www.helpnetsecurity.com/2024/06/19/cybersecurity-threats-statistics-2024/ #cybersecurity #VeeamSoftware #PingIdentity #ConnectWise #CheckPoint #Proofpoint #Don'tmiss #cyberrisk #Hotstuff #CyberArk #Mimecast #Entrust #Trellix #Code42 #McAfee #report #survey #Jumio #News

Find out which cybersecurity threats organizations fear the most https://www.helpnetsecurity.com/2024/06/19/cybersecurity-threats-statistics-2024/ #cybersecurity #VeeamSoftware #PingIdentity #ConnectWise #CheckPoint #Proofpoint #Don'tmiss #cyberrisk #Hotstuff #CyberArk #Mimecast #Entrust #Trellix #Code42 #McAfee #report #survey #Jumio #News

Find out which cybersecurity threats organizations fear the most https://www.helpnetsecurity.com/2024/06/19/cybersecurity-threats-statistics-2024/ #cybersecurity #VeeamSoftware #PingIdentity #ConnectWise #CheckPoint #Proofpoint #Don'tmiss #cyberrisk #Hotstuff #CyberArk #Mimecast #Entrust #Trellix #Code42 #McAfee #report #survey #Jumio #News

ConnectWise has disclosed two serious #vulnerabilities in their ScreenConnect (formerly Control) remote access product. The first vulnerability allows attackers to bypass authentication to execute arbitrary commands with full privileges. The second issue is a path-traversal vulnerability that allows attackers to access restricted resources.

Learn more about the vulnerability: https://www.runzero.com/blog/finding-connectwise-screenconnect/

Use runZero to find #connectwise ScreenConnect on your network: https://www.runzero.com/try/signup/

#runzero #rapidresponse