Booby-trapped installers deploying ScreenConnect and other RMM tools
Malware Activity
Summary
Hide ▲
Show ▼
Attackers are using booby-trapped MSI installers and executables to deploy legitimate RMM tools and gain covert remote access inside targeted networks. The malware activity matters because the tools can be used for credential harvesting, system reconnaissance, and deeper post-compromise access while looking like normal enterprise software. The current wave uses ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve as the delivery outcome.
Related Happenings
SSHStalker IRC-controlled Linux botnet
Malware Activity
First: 11.02.2026 11:56
Last: 11.02.2026 11:56
Sources 1
About this happening:
Researchers disclosed **SSHStalker**, a **Linux botnet** that uses **IRC C2** and automated **SSH scanning** to compromise exposed systems, increasing the risk of persistent contr...
SSHStalker IRC-controlled Linux botnet
Malware ActivityAbout this happening: Researchers disclosed **SSHStalker**, a **Linux botnet** that uses **IRC C2** and automated **SSH scanning** to compromise exposed systems, increasing the risk of persistent contr...
Greenvelope phishing-to-LogMeIn Resolve dual-vector campaign
Campaign
First: 23.01.2026 13:18
Last: 23.01.2026 13:18
Sources 1
About this happening:
A **dual-vector phishing campaign** is using **fake Greenvelope invitations** and **stolen credentials** to establish **persistent remote access** on compromised hosts, turning le...
Greenvelope phishing-to-LogMeIn Resolve dual-vector campaign
CampaignAbout this happening: A **dual-vector phishing campaign** is using **fake Greenvelope invitations** and **stolen credentials** to establish **persistent remote access** on compromised hosts, turning le...
ScreenConnect and NetSupport abuse for freight cargo hijacking
Malware Activity
First: 03.11.2025 18:46
Last: 03.11.2025 18:46
Sources 1
About this happening:
Malicious deployment of **ScreenConnect**, **NetSupport**, and related **RMM tools** is giving attackers remote control over **freight-broker** and **trucking carrier** systems, e...
ScreenConnect and NetSupport abuse for freight cargo hijacking
Malware ActivityAbout this happening: Malicious deployment of **ScreenConnect**, **NetSupport**, and related **RMM tools** is giving attackers remote control over **freight-broker** and **trucking carrier** systems, e...
Syncro MSP agent deploying ScreenConnect for remote access
Malware Activity
First: 15.10.2025 22:22
Last: 15.10.2025 22:22
Sources 1
About this happening:
The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
Syncro MSP agent deploying ScreenConnect for remote access
Malware ActivityAbout this happening: The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
Campaign
First: 13.10.2025 18:45
Last: 13.10.2025 18:45
Sources 1
About this happening:
A wave of **phishing-led RMM abuse** is giving **APT groups** initial access to systems and enabling **persistence** plus **lateral movement** inside compromised networks. The act...
APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
CampaignAbout this happening: A wave of **phishing-led RMM abuse** is giving **APT groups** initial access to systems and enabling **persistence** plus **lateral movement** inside compromised networks. The act...
Timeline
-
03.11.2025 15:18 2 articles · 6mo ago
Booby-trapped installers deploy ScreenConnect and other RMM tools in logistics intrusions
Initial DisclosureAttackers targeting trucking and logistics companies use compromised-email, spear-phishing, and fraudulent freight-listing lures to deliver booby-trapped MSI installers or executables that install legitimate RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In some intrusions, PDQ Connect is used to drop and install ScreenConnect and SimpleHelp, and the resulting access is then used for system and network reconnaissance and credential harvesting with WebBrowserPassView.
Show sources
- Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks — thehackernews.com — 03.11.2025 15:18
- Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks — thehackernews.com — 03.11.2025 15:18