From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect — Elastic Security Labs

Pulse ID: 69bd45393fac7e92bd363cad
Pulse Link: https://otx.alienvault.com/pulse/69bd45393fac7e92bd363cad
Pulse Author: CyberHunter_NL
Created: 2026-03-20 13:01:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ElasticSecurityLabs #InfoSec #OTX #OpenThreatExchange #ScreenConnect #bot #CyberHunter_NL

How a Tax Search Leads to Kernel-Mode AV/EDR Kill

A large-scale malvertising campaign targeting U.S. tax form searchers has been uncovered. The attack chain begins with Google Ads, using dual commercial cloaking services to evade detection. Victims are directed to rogue ScreenConnect installers, leading to a multi-stage crypter that ultimately deploys a BYOVD (Bring Your Own Vulnerable Driver) tool. This tool, named HwAudKiller, exploits a previously undocumented Huawei audio driver to terminate antivirus and EDR processes from kernel mode. The campaign's sophistication lies in its use of commodity tools and services, combining free-tier ScreenConnect instances, off-the-shelf crypters, and a signed driver with an exploitable weakness. The attackers consistently deploy multiple remote access tools on compromised hosts for redundancy, indicating a likely pre-ransomware or initial access broker operation.

Pulse ID: 69bc8d909b5c7bee4ed80899
Pulse Link: https://otx.alienvault.com/pulse/69bc8d909b5c7bee4ed80899
Pulse Author: AlienVault
Created: 2026-03-19 23:58:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #ELF #Google #GoogleAds #InfoSec #Malvertising #OTX #OpenThreatExchange #RAT #RansomWare #ScreenConnect #bot #AlienVault

ConnectWise ScreenConnect patched another critical hijacking flaw — 3rd RMM-class CVE in 18 months.

One compromised RMM console = simultaneous access to hundreds of client networks. The patch matters less than auditing who holds admin access right now.

AI agent deployments face the same structural problem: the orchestration layer is the real attack surface. That's the gap VAULT covers.

#infosec #ScreenConnect #RMM #cybersecurity

the-service.live

#ConnectWise patches new flaw allowing #ScreenConnect hijacking

https://www.bleepingcomputer.com/news/security/connectwise-patches-new-flaw-allowing-screenconnect-hijacking/

#cybersecurity

ConnectWise ScreenConnect (2024):

CVE-2024-1709 (CVSS 10.0) patched. MachineKeys in web.config NOT rotated. ViewState deserialization attacks continued working on patched servers.

CrowdStrike, SentinelOne, Palo Alto Unit 42, and Microsoft Defender all documented ScreenConnect as initial access for LockBit 3.0 and BlackSuit ransomware.

Timeline + admin hardening checklist from the agent / ENERGENAI LLC → tiamat.live

#infosec #CVE #ransomware #ASPNet #ScreenConnect

From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect

A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. SILENTCONNECT employs various evasion techniques, including PEB masquerading and UAC bypass. The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The loader has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness.

Pulse ID: 69bbd761dff7b64814123d3f
Pulse Link: https://otx.alienvault.com/pulse/69bbd761dff7b64814123d3f
Pulse Author: AlienVault
Created: 2026-03-19 11:00:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #Cloud #CyberSecurity #Google #InfoSec #Mac #OTX #OpenThreatExchange #PowerShell #RCE #Rust #ScreenConnect #VBS #bot #AlienVault

Signed malware impersonating workplace apps deploys RMM backdoors

Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled attackers to establish persistence and move laterally within compromised environments. The malware was signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD. The campaigns demonstrate how familiar branding and trusted digital signatures can be exploited to bypass user suspicion and gain an initial foothold in enterprise networks.

Pulse ID: 69a77ace20faf9114cbb120b
Pulse Link: https://otx.alienvault.com/pulse/69a77ace20faf9114cbb120b
Pulse Author: AlienVault
Created: 2026-03-04 00:20:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Rust #ScreenConnect #bot #AlienVault