CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ScreenConnect Abused for Network Intrusions by APT Groups

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Advanced persistent threat (APT) groups are exploiting the remote monitoring and management (RMM) tool ScreenConnect to gain unauthorized access to systems. This abuse leverages ScreenConnect's legitimate features, such as unattended access and file transfer, to establish persistence and move laterally within compromised networks. The ScreenConnect client runs primarily in memory, evading basic antivirus scans, and attackers use custom URLs and invite links for phishing. The DarkAtlas research project has identified key event logs and configuration files that can aid in detecting and investigating these intrusions. Defenders are advised to monitor custom URLs, in-memory installer behavior, persistent client binaries, and related configuration files and event IDs.

Timeline

  1. 13.10.2025 18:45 1 articles · 1d ago

    APT Groups Exploit ScreenConnect for Network Intrusions

    APT groups have been observed exploiting the RMM tool ScreenConnect to gain unauthorized access to systems. The abuse of ScreenConnect's legitimate features, such as unattended access and file transfer, allows attackers to establish persistence and move laterally within compromised networks. The ScreenConnect client runs mainly in memory, evading basic antivirus scans, and attackers use custom URLs and invite links for phishing. Key event logs and configuration files have been identified to aid in detecting and investigating these intrusions.

    Show sources
    Open in new tab

Information Snippets

  • APT groups are exploiting ScreenConnect, an RMM tool developed by ConnectWise, for unauthorized system access.

    First reported: 13.10.2025 18:45
    1 source, 1 article
    Show sources

  • ScreenConnect features such as unattended access, VPN functionality, REST API integration, and file transfer are being abused by attackers.

    First reported: 13.10.2025 18:45
    1 source, 1 article
    Show sources

  • The ScreenConnect client runs mainly in memory, evading basic antivirus scans.

    First reported: 13.10.2025 18:45
    1 source, 1 article
    Show sources

  • Attackers use custom URLs and invite links for phishing, luring victims into installing malicious ScreenConnect clients.

    First reported: 13.10.2025 18:45
    1 source, 1 article
    Show sources

  • Key event logs, including Security Event ID 4573 and Application Log events 100 and 101, provide indicators for digital forensics and incident response.

    First reported: 13.10.2025 18:45
    1 source, 1 article
    Show sources

  • Configuration files such as user.config and system.config store hostnames, IP mappings, and encrypted keys, which can be used to trace suspicious connections.

    First reported: 13.10.2025 18:45
    1 source, 1 article
    Show sources