CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ScreenConnect Abused for Network Intrusions by APT Groups

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Advanced persistent threat (APT) groups and cybercriminals continue to exploit the remote monitoring and management (RMM) tool ScreenConnect for unauthorized system access, leveraging its legitimate features for persistence and lateral movement. A major malvertising campaign active since January 2026 has specifically targeted U.S. tax filers via Google Ads, delivering rogue ScreenConnect installers that deploy a custom EDR-killing driver (HwAudKiller) using a signed Huawei vulnerable driver (HWAuidoOs2Ec.sys) to blind security tools. The attack chain uses commercial cloaking services (Adspect, JustCloakIt) to evade detection and quickly stacks multiple RMM tools (ScreenConnect, FleetDeck Agent) for redundancy. Observed post-compromise activity includes credential dumping via LSASS access and lateral movement with tools like NetExec, aligning with pre-ransomware or initial access broker behavior. Defenders should prioritize monitoring for rogue ScreenConnect installers delivered via malvertising, kernel-mode driver loads from vulnerable Huawei audio drivers, rapid stacking of multiple RMM tools, and use of EDR killers alongside LSASS memory dumps and lateral movement artifacts.

Timeline

  1. 13.10.2025 18:45 2 articles · 5mo ago

    APT Groups Exploit ScreenConnect for Network Intrusions

    APT groups have been observed exploiting the RMM tool ScreenConnect to gain unauthorized access to systems, leveraging its legitimate features such as unattended access and file transfer to establish persistence and move laterally. The ScreenConnect client runs mainly in memory, evading basic antivirus scans, and attackers use custom URLs and invite links for phishing. Key event logs and configuration files have been identified to aid in detecting and investigating these intrusions. A large-scale malvertising campaign active since January 2026 has abused Google Ads to serve rogue ScreenConnect installers targeting U.S.-based individuals searching for tax-related documents. The campaign delivers a BYOVD EDR killer (HwAudKiller) using a signed Huawei audio driver (HWAuidoOs2Ec.sys) that terminates security processes in kernel mode, bypassing user-mode protections. The attack chain employs commercial cloaking services (Adspect, JustCloakIt) and rapidly deploys multiple RMM tools (ScreenConnect, FleetDeck Agent) for redundancy. Post-compromise activity includes credential dumping via LSASS access, lateral movement with NetExec, and alignment with pre-ransomware or initial access broker behavior. Russian-language artifacts in the actor's infrastructure suggest a Russian-speaking developer.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious GitHub campaign, tracked as **"TroyDen's Lure Factory"**, is distributing over **300 Trojanized packages**, including a fake **OpenClaw Docker deployer**, to deliver a LuaJIT-based data-stealing Trojan. The campaign targets developers, gamers, and the general public with lures ranging from AI tools to game cheats, exploiting automated analysis gaps by splitting the payload into two components—a renamed Lua runtime and an encrypted script—that evade detection when analyzed separately. Once executed, the Trojan captures screenshots, performs geolocation, and exfiltrates credentials to a Frankfurt-based C2 server, with a **29,000-year sleep delay** to defeat sandboxes. GitHub was notified on **March 20, 2026**, but at least two lure repositories remain active. This follows a pattern of **supply-chain and social engineering attacks** leveraging OpenClaw’s popularity, including prior incidents like the **Cline npm compromise** (February 2026), **malicious ClawHub skills** pushing info-stealers, and **exposed OpenClaw instances** (40,000+ vulnerable deployments globally). Chinese authorities have restricted OpenClaw usage in state-run enterprises due to its **privileged system access and prompt injection risks**, while threat actors continue to distribute **fake installers** (e.g., Atomic Stealer, Vidar, GhostSocks proxy malware). Users are urged to **verify repository authenticity, isolate AI tools, and audit environments** for unexpected OpenClaw installations.

Open in new tab

AsyncRAT Delivered via ConnectWise ScreenConnect to Steal Credentials and Cryptocurrency

A new campaign leverages ConnectWise ScreenConnect to deliver AsyncRAT, a remote access trojan (RAT). The attackers use ScreenConnect to gain remote access, then execute a layered VBScript and PowerShell loader to drop AsyncRAT. The malware steals sensitive data, including keystrokes, browser credentials, and cryptocurrency wallet information. The infection chain starts with phishing emails containing trojanized ScreenConnect installers. The attackers use a fake 'Skype Updater' scheduled task to maintain persistence. The malware exfiltrates collected data to a command-and-control (C2) server. The campaign highlights the challenges posed by fileless malware, which operates in memory and is difficult to detect.

Open in new tab

Brokewell Android malware campaign targets cryptocurrency users via fake TradingView ads

A malware campaign is using fake TradingView ads on Meta’s advertising platforms to distribute the Brokewell Android malware. The campaign, active since at least July 22, targets cryptocurrency users and seeks to steal sensitive data, gain remote control of devices, and bypass two-factor authentication. The malware is delivered via a malicious APK file hosted on a fake TradingView site. The Brokewell malware features a broad set of capabilities, including data theft, remote monitoring, and control of compromised devices. It can steal cryptocurrency wallets, bank account details, and Google Authenticator codes. The malware also records screens and keystrokes, activates the camera and microphone, and tracks device locations. It can intercept SMS messages, including banking and 2FA codes, and execute remote commands via Tor or Websockets. The campaign is part of a larger operation that previously targeted Windows users with Facebook ads impersonating well-known brands.

Open in new tab

Transparent Tribe Targets Indian Government with Dual-Platform Malware Campaign

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since June 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated. The campaign uses dedicated staging servers for malware distribution, transitioning from cloud storage platforms. The malware includes multiple persistence methods and supports commands for file browsing, collection, and remote execution. The campaign is part of a broader trend of targeted activity by South and East Asian threat actors, reflecting a trend toward purpose-built malware and infrastructure. Indian government entities have been targeted in two campaigns codenamed Gopher Strike and Sheet Attack. Gopher Strike leveraged phishing emails to deliver PDF documents with a blurred image and a fake Adobe Acrobat Reader DC update dialog. The campaign uses server-side checks to prevent automated URL analysis tools from fetching the ISO file, ensuring delivery only to intended targets in India. The malicious payload is a Golang-based downloader called GOGITTER, which creates a VBScript file to fetch commands from C2 servers. GOGITTER sets up persistence using a scheduled task to run the VBScript file every 50 minutes. GOGITTER downloads a ZIP file from a private GitHub repository and executes a lightweight Golang-based backdoor called GITSHELLPAD. GITSHELLPAD polls the C2 server every 15 seconds for commands and supports six different commands including cd, run, upload, and download. The results of command execution are stored in a file called "result.txt" and uploaded to the GitHub account. The threat actor also downloads RAR archives containing utilities to gather system information and drop GOSHELL, a bespoke Golang-based loader. GOSHELL's size was artificially inflated to approximately 1 gigabyte to evade detection by antivirus software. GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hard-coded list. APT36 and SideCopy are launching cross-platform RAT campaigns against Indian entities using malware families like Geta RAT, Ares RAT, and DeskRAT. The campaigns use phishing emails with malicious attachments or download links to deliver the malware, which provides persistent remote access, system reconnaissance, data collection, and command execution. Geta RAT supports various commands including system information collection, process enumeration, credential gathering, and file operations. Ares RAT is a Python-based RAT that can run commands issued by the threat actor. DeskRAT is delivered via a rogue PowerPoint Add-In file with embedded macros. The campaigns target Indian defense, government, and strategic sectors, demonstrating a well-resourced, espionage-focused threat actor deliberately targeting these sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure.

Open in new tab