Threat actors are leveraging the ConnectWise ScreenConnect installer to craft signed remote access malware by manipulating hidden settings embedded within the software’s Authenticode signature.
ConnectWise ScreenConnect, widely used by IT administrators and managed service providers (MSPs) for remote monitoring and device management, enables extensive customization during installer creation. These configurations—such as specifying the remote server connection details, modifying dialog text, and applying custom logos—are embedded in the Authenticode signature of the executable.
This tactic, referred to as authenticode stuffing, lets attackers inject configuration data into the certificate table without invalidating the digital signature, making malicious files appear legitimate.
ScreenConnect Exploited for Phishing Campaigns
Cybersecurity researchers at G DATA discovered tampered ConnectWise binaries whose hashes matched genuine versions in every file section except the certificate table. “The only difference was a modified certificate table containing new malicious configuration information while still allowing the file to remain signed,” G DATA explained.
Initial evidence of these attacks surfaced on the BleepingComputer forums, where victims shared reports of infections following phishing lures. Similar incidents were also discussed on Reddit. The phishing campaigns often used deceptive PDFs or intermediary Canva pages that linked to malicious executables hosted on Cloudflare’s R2 servers.
One such file, titled “Request for Proposal.exe,” was identified by BleepingComputer as a trojanized ScreenConnect client configured to connect to attacker-controlled infrastructure at 86.38.225[.]6:8041 (relay.rachael-and-aidan.co[.]uk).
G DATA developed a tool to extract and inspect these malicious configurations. Investigators found that the threat actors rebranded the installer with titles like “Windows Update” and swapped the background image with a counterfeit Windows Update graphic, effectively transforming legitimate remote support software into stealthy malware.
After being contacted by G DATA, ConnectWise revoked the certificate associated with the compromised installers. G DATA now classifies these threats as Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. “G DATA says they never received a reply from ConnectWise about this campaign and their report.”
In a parallel campaign, attackers have also distributed altered SonicWall NetExtender VPN clients designed to steal login credentials and domain information. According to SonicWall’s advisory, the malicious variants transmit captured data to attacker-controlled servers. The company strongly urges users to download software exclusively from official sources to avoid compromise.
