Observed phishing URLs delivering RMM payload

ScreenConnect is used in phishing URLs to deliver RMM payload. DocuSign has been observed to be the common theme in these phishing emails.

Pulse ID: 6a3ae5bf02925732fd075068
Pulse Link: https://otx.alienvault.com/pulse/6a3ae5bf02925732fd075068
Pulse Author: AlienVault
Created: 2026-06-23 19:59:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #AlienVault

Observed phishing URLs delivering RMM payload

ScreenConnect is used in phishing URLs to deliver RMM payload. DocuSign has been observed to be the common theme in these phishing emails.

Pulse ID: 6a3ae61c7ae32738d4584382
Pulse Link: https://otx.alienvault.com/pulse/6a3ae61c7ae32738d4584382
Pulse Author: AlienVault
Created: 2026-06-23 20:01:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #AlienVault

HP says hackers are turning trusted remote access tools into stealthy backdoors

https://fed.brid.gy/r/https://nerds.xyz/2026/06/hp-says-hackers-are-turning-trusted-remote-access-tools-into-stealthy-backdoors/

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Pulse ID: 6a1ff49534caa494728e11ed
Pulse Link: https://otx.alienvault.com/pulse/6a1ff49534caa494728e11ed
Pulse Author: Tr1sa111
Created: 2026-06-03 09:32:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #InfoSec #Microsoft #NET #OTX #OpenThreatExchange #ScreenConnect #bot #Tr1sa111

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusingScreenConnect and Microsoft .NET utilities - https://www.redpacketsecurity.com/from-poisoned-search-results-to-gpu-mining-a-cryptojacking-campaign-abusingscreenconnect-and-microsoft-net-utilities/

#threatintel
#cryptojacking
#GPU-mining
#ScreenConnect abuse
#DLL sideloading
#process hollowing

An unknown threat actor is abusing a remote management tool called #TiFLUX as an initial access vector, targeting a broad range of potential victims by email. The attacks using this Brasil-originated commercial utility began in February, but really ramped up in April and the beginning of this month.

The lures employ a variety of #spam tropes, including bogus event invitations and business invoices/bills.

TiFLUX seems uniquely vulnerable to this kind of abuse; The installer package also installs an old version of UltraVNC as well as a vulnerable #loldriver that can elevate privileges. Weirdest of all, the attackers are also using this RMM to deploy other heavily-abused RMMs, including #Splashtop and #ScreenConnect to the devices that get hit. Those RMMs are connecting to IP addresses associated with known bulletproof hosts.

This is my first post at the @huntress blog: https://www.huntress.com/blog/tiflux-rmm-install

#malware #RMM #RogueRMM

CISA Flags Actively Exploited ConnectWise, Windows Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged two major vulnerabilities, including a critical flaw in ConnectWise ScreenConnect and a Microsoft Windows Shell bug, as actively exploited by hackers. These flaws could allow attackers to execute remote code, access confidential data, and compromise critical systems.

https://osintsights.com/cisa-flags-actively-exploited-connectwise-windows-flaws?utm_source=mastodon&utm_medium=social

#Cve20241708 #Cve202632202 #Windows #Connectwise #Screenconnect