ScreenConnect Under Attack: SmartScreen Evasion and RMM Abuse

ConnectWise ScreenConnect is a secure remote access tool used by IT teams to troubleshoot and manage devices remotely. 

Attacks against ConnectWise ScreenConnect have increased recently, because attackers are taking advantage of known vulnerabilities in unpatched systems. They use these weaknesses to gain initial access, then they install malware, backdoors or even ransomware. In many cases, ScreenConnect is exploited as a legitimate remote access tool to stay hidden longer. Overall, ScreenConnect has become a more common target as attackers look for easy entry points into networks.

Observed by X-labs researchers, this blog post examines an attack chain in which a spoofed email delivers a malicious .cmd attachment that executes silently, escalates privileges, disables Windows SmartScreen, removes the Mark-of-the-Web to bypass security warnings and ultimately installs a legitimate Remote Monitoring and Management (RMM) tool ScreenConnect  which  is abused as a Remote Access Trojan (RAT) to establish persistent command-and-control access.

This campaign targets organizations across the United States, Canada, United Kingdom and Northern Ireland, focusing on sectors with high-value data, including government, healthcare and logistics companies. 
 

Fig. 1 - Attack chain
 

Email Analysis:

This email impersonates the U.S. Social Security Administration but uses the fake domain SSA[.]COM instead of ssa.gov, contains spelling errors (e.g., "eStatemet"), mismatched recipient fields and a vague subject meant to stoke curiosity.   

Fig. 2 - Email sample
 

Archived .CMD Analysis:

This .cmd script is designed for stealthy malware installation with system-level persistence. It first checks for administrator privileges and silently auto-elevates via UAC using PowerShell (Start-Process -Verb RunAs), a common attacker technique to gain full control without user understanding. 

Fig. 3 - .cmd script
 

Once elevated, it disables Windows SmartScreen by modifying a registry key and forcibly restarts Explorer to apply the change, weakening the systems built-in defenses. From there, it downloads an external MSI installer over plain HTTP (no encryption, no integrity checks) from a non-trusted URL hxxps://delwayne[.]alwaysdata[.]net/Windowsetup[.]msi, saves it to the temp directory under a misleading name and removes the Mark-of-the-Web by removing zone. Finally, it uses Alternate Data Stream(ADS) to bypass Windows security warnings and finally performs a fully silent MSI installation (/qn) with no user interaction or visibility.  

Overall, this script matches malware loader behaviour, using defence evasion, privilege escalation and covert payload delivery.

MSI Analysis:

PowerShell invokes msiexec to extracts and install ScreenConnect components including executable, DLLs and config files.  

Fig. 4  - MSI dropped files
 

After installation it invokes ScreenConnect.ClientService.exe with specific parameters mentioned in System.config. 

Fig. 5 - System.config file
 

This config tells the ScreenConnect client which server to connect to:

• h=dof-connect[.]top → the remote server address
• p=8041 → the network port it should use
• k= is a security key (encryption/authentication key) and it proves the client is allowed to connect to that server
• ClientLaunchParametersConstraint setting means = “Only allow the client to start if these exact connection details are used”

ScreenConnect Binary Analysis:

ScreenConnect.ClientService.exe is a part of the ScreenConnect tool made by ConnectWise. It runs in the background and allows someone to remotely access or control your computer for support or meetings.

Its .NET client 25.2.4.9229 version is signed certificate, but it’s one that was explicitly revoked by its issuer.  

Fig. 6 - ScreenConnect.ClientService.exe file info

 

After executed by the MSI file, it reads values from mentioned in system.config and starts connection with malicious remote server.

Executed Process with parameters:

Fig. 7 - C2 traffic
 

The client establishes a network session with the remote command‑and‑control domain dof-connect[.]top, after which the host begins exhibiting Remote Access Trojan (RAT)‑style behaviours and data exfiltration activity. It then encrypts data with a session key while it uploads in chunks to the C2 server. This domain belongs to Iran’s network infrastructure by “Aria Shatel Company Ltd”.

What This ScreenConnect Attack Means for Defenders

This analysis highlights how attackers can weaponize legitimate but vulnerable or untrusted software versions to bypass enterprise defenses. In this campaign, a signed ScreenConnect client with a certificate that has been explicitly revoked by the vendor is being silently deployed after disabling SmartScreen and stripping the Mark-of-the-Web tag, allowing execution without reputation-based blocking or user prompts.  

By abusing an outdated or revoked RMM client as a Remote Access Trojan (RAT), the attacker achieves persistent, unauthorized remote control while evading traditional detection mechanisms. This case reinforces the importance of blocking revoked or vulnerable software versions, enforcing strict RMM allowlists and actively monitoring for security control tampering as part of a modern defense strategy. 

Protection Statement:  

Forcepoint customers are protected against this threat at the following stages of attack:

• Lure – Malicious .cmd attachments associated with these attacks are identified and blocked.
• Dropper File - The dropper files are added to Forcepoint malicious database and are blocked.
• Call Home - Blocked C2 credentials

IOCs:

Hashes:

• 48A5034E75B526E1A9371B4E728B02FB81D2C7C1 - RAR
• 0FA008DFD45F39879412275D1A4C178CF7AFFAE2 - cmd
• 46FCE36F4901D6ACF19AAAA9CBD1A14DF6D6AA85 - MSI
• B46C4E4694783311E2C612ED7F0CA67A88E1E352 - EXE
• FDE73710CE063BBF1E377C02A1A8615CF4DA1C08 – DLL

URLs:

• hxxps://delwayne[.]alwaysdata[.]net/Windowsetup[.]msi

C2s:

• dof-connect[.]top