In-Memory Loader Drops ScreenConnect

In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.

Pulse ID: 69d8b1848ae30fd4dab9095d
Pulse Link: https://otx.alienvault.com/pulse/69d8b1848ae30fd4dab9095d
Pulse Author: AlienVault
Created: 2026-04-10 08:15:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #ConnectWise #CyberSecurity #InfoSec #NET #OTX #OpenThreatExchange #PowerShell #ScreenConnect #VBS #Windows #bot #AlienVault