Syncro MSP agent deploying ScreenConnect for remote access
Malware Activity
Summary
Hide ▲
Show ▼
The Syncro payload installs ScreenConnect through a hidden remote-management agent, giving operators remote access to infected endpoints and a path to follow-on payloads. It is delivered through phishing emails and is designed to stay less visible by hiding its tray icon and minimizing configuration. The resulting access can be used to steal data, reach password vaults, and disable security tools on the target device.
Related Happenings
ChatGPT widens Lockdown Mode and Active Sessions to reduce prompt-injection exfiltration and session compromise
Security Tool/Service
H score10
First: 08.06.2026 11:32
Last: 08.06.2026 11:32
Sources 1
About this happening:
**ChatGPT** is expanding access to **Lockdown Mode** and **Active Sessions**, tightening protection against **prompt-injection data exfiltration** and **account/session compromise...
ChatGPT widens Lockdown Mode and Active Sessions to reduce prompt-injection exfiltration and session compromise
Security Tool/ServiceAbout this happening: **ChatGPT** is expanding access to **Lockdown Mode** and **Active Sessions**, tightening protection against **prompt-injection data exfiltration** and **account/session compromise...
GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware Activity
H score16
First: 28.05.2026 00:31
Last: 28.05.2026 00:31
Sources 1
About this happening:
A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...
GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware ActivityAbout this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
H score24
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
VENOMOUS#HELPER phishing campaign using RMM tools
Campaign
H score42
First: 04.05.2026 21:06
Last: 04.05.2026 21:06
Sources 1
About this happening:
An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
VENOMOUS#HELPER phishing campaign using RMM tools
CampaignAbout this happening: An active **VENOMOUS#HELPER** phishing campaign is using legitimate **RMM software** to establish **persistent remote access** to compromised hosts, putting **over 80 organization...
Latest development: 05.05.2026 17:00
Securonix found the Venomous#Helper phishing campaign using emails impersonating the US Social Security Administration to send victims to gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to payload delivery from a separate compromised cPanel account. The campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay, and the downloaded JWrapper-packaged binary was signed by SimpleHelp Ltd with a valid Thawte certificate. In a one-hour observation, Securonix recorded 986 background process-creation events and WMIC execution through a renamed wmic.exe.bak copy to evade EDR rules.
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
H score32
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Timeline
-
15.10.2025 22:22 2 articles · 8mo ago
Phishing campaign delivers Syncro and ScreenConnect via fake LastPass and Bitwarden alerts
Initial DisclosureA phishing campaign targeted LastPass and Bitwarden users with fake breach emails that urged recipients to download a supposedly more secure desktop password-manager app, and the campaign began over the Columbus Day holiday weekend. The malicious binary installed the Syncro MSP platform agent with hidden system-tray behavior and used the Syncro MSP program to deploy ScreenConnect for remote access, while Cloudflare blocked the fraudulent landing pages and LastPass stated that it had not been hacked.
Show sources
- Fake LastPass, Bitwarden breach alerts lead to PC hijacks — www.bleepingcomputer.com — 15.10.2025 22:22
- Fake LastPass, Bitwarden breach alerts lead to PC hijacks — www.bleepingcomputer.com — 15.10.2025 22:22