Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Syncro MSP agent deploying ScreenConnect for remote access

Malware Activity
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

The Syncro payload installs ScreenConnect through a hidden remote-management agent, giving operators remote access to infected endpoints and a path to follow-on payloads. It is delivered through phishing emails and is designed to stay less visible by hiding its tray icon and minimizing configuration. The resulting access can be used to steal data, reach password vaults, and disable security tools on the target device.

Related Happenings

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

Malware Activity
First: 05.05.2026 13:03 Last: 05.05.2026 13:03 Sources 1

About this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...

Open Happening

VENOMOUS#HELPER phishing campaign using RMM tools

Campaign
First: 04.05.2026 21:06 Last: 04.05.2026 21:06 Sources 1

About this happening: An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...

Latest development: 05.05.2026 17:00

Securonix found the Venomous#Helper phishing campaign using emails impersonating the US Social Security Administration to send victims to gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to payload delivery from a separate compromised cPanel account. The campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay, and the downloaded JWrapper-packaged binary was signed by SimpleHelp Ltd with a valid Thawte certificate. In a one-hour observation, Securonix recorded 986 background process-creation events and WMIC execution through a renamed wmic.exe.bak copy to evade EDR rules.

Open Happening

Google Ads tax-search ScreenConnect malvertising campaign

Campaign
First: 24.03.2026 19:05 Last: 24.03.2026 19:05 Sources 1

About this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...

Open Happening

ConnectWise security patch release for CVE-2026-3564

Security Patch Release
First: 18.03.2026 20:10 Last: 18.03.2026 20:10 Sources 1

About this happening: ConnectWise released **ScreenConnect 26.1** to harden **machine key** handling after disclosing **CVE-2026-3564**, a flaw that can enable **unauthorized access** and **privilege e...

Open Happening

ScreenConnect cryptographic signature verification vulnerability (CVE-2026-3564)

Vulnerability
First: 18.03.2026 20:10 Last: 18.03.2026 20:10 Sources 1

About this happening: ConnectWise disclosed **CVE-2026-3564**, a **cryptographic signature verification vulnerability** in **ScreenConnect** that can enable **unauthorized access** and **privilege esca...

Open Happening

Timeline

  1. 15.10.2025 22:22 2 articles · 7mo ago

    Phishing campaign delivers Syncro and ScreenConnect via fake LastPass and Bitwarden alerts

    Initial Disclosure

    A phishing campaign targeted LastPass and Bitwarden users with fake breach emails that urged recipients to download a supposedly more secure desktop password-manager app, and the campaign began over the Columbus Day holiday weekend. The malicious binary installed the Syncro MSP platform agent with hidden system-tray behavior and used the Syncro MSP program to deploy ScreenConnect for remote access, while Cloudflare blocked the fraudulent landing pages and LastPass stated that it had not been hacked.

    Show sources
    Open in new tab