ConnectWise ScreenConnect phishing campaign deploying AsyncRAT
Campaign
Summary
Hide ▲
Show ▼
A ScreenConnect phishing campaign is abusing trojanized installers to gain remote access and deploy AsyncRAT, putting credentials and sensitive data at risk. The operation uses layered VBScript and PowerShell loaders, plus hands-on-keyboard remote sessions, to unpack a fileless payload. It also maintains persistence with a fake "Skype Updater" scheduled task and exfiltrates stolen data to an attacker-controlled C2 server. The tradecraft blends legitimate RMM tooling with in-memory execution, making detection and cleanup harder.
Related Happenings
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
ConnectWise security patch release for CVE-2026-3564
Security Patch Release
First: 18.03.2026 20:10
Last: 18.03.2026 20:10
Sources 1
About this happening:
ConnectWise released **ScreenConnect 26.1** to harden **machine key** handling after disclosing **CVE-2026-3564**, a flaw that can enable **unauthorized access** and **privilege e...
ConnectWise security patch release for CVE-2026-3564
Security Patch ReleaseAbout this happening: ConnectWise released **ScreenConnect 26.1** to harden **machine key** handling after disclosing **CVE-2026-3564**, a flaw that can enable **unauthorized access** and **privilege e...
APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
Campaign
First: 13.10.2025 18:45
Last: 13.10.2025 18:45
Sources 1
About this happening:
A wave of **phishing-led RMM abuse** is giving **APT groups** initial access to systems and enabling **persistence** plus **lateral movement** inside compromised networks. The act...
APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
CampaignAbout this happening: A wave of **phishing-led RMM abuse** is giving **APT groups** initial access to systems and enabling **persistence** plus **lateral movement** inside compromised networks. The act...
Timeline
-
11.09.2025 09:02 2 articles · 8mo ago
ConnectWise ScreenConnect phishing campaign deploys AsyncRAT
Initial DisclosureAttackers abused ConnectWise ScreenConnect on the affected organizations to gain remote access and deliver AsyncRAT through layered VBScript and PowerShell loaders, using trojanized ScreenConnect installers sent in phishing emails, a fake "Skype Updater" scheduled task for persistence, and 3osch20.duckdns[.]org as the C2 endpoint for exfiltrating keystrokes, browser credentials, system fingerprints, and cryptocurrency wallet data.
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02