Threat Actors Use Windows Screensavers to Deploy RMM Tools
Summary
Hide ▲
Show ▼
Threat actors are exploiting Windows screensaver files (.scr) in spear-phishing campaigns to bypass security defenses and deploy remote monitoring and management (RMM) tools, granting them interactive remote control over compromised systems. The attack involves luring users into downloading and executing screensaver files hosted on cloud storage platforms, which then install legitimate RMM tools like JWrapper for persistent access. This technique allows attackers to maintain a foothold within the environment, facilitating data theft, lateral movement, and ransomware deployment. The campaign has been observed across multiple organizations, but the threat actors remain unidentified due to the use of consumer cloud storage and lack of consistent infrastructure.
Timeline
-
04.02.2026 23:06 1 articles · 23h ago
Threat Actors Exploit Windows Screensavers to Deploy RMM Tools
Threat actors are using Windows screensaver files (.scr) in spear-phishing campaigns to deploy RMM tools like JWrapper, granting them interactive remote control over compromised systems. The attack involves luring users into downloading and executing screensaver files hosted on cloud storage platforms. The campaign has been observed across multiple organizations, but the threat actors remain unidentified due to the use of consumer cloud storage and lack of consistent infrastructure.
Show sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
Information Snippets
-
Threat actors use Windows screensaver files (.scr) in spear-phishing campaigns to deploy RMM tools.
First reported: 04.02.2026 23:061 source, 1 articleShow sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
-
The attack involves luring users into downloading and executing screensaver files hosted on cloud storage platforms.
First reported: 04.02.2026 23:061 source, 1 articleShow sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
-
The deployed RMM tool, JWrapper, allows attackers to maintain persistent, interactive access to compromised systems.
First reported: 04.02.2026 23:061 source, 1 articleShow sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
-
The campaign has been observed across multiple organizations, but the threat actors remain unidentified.
First reported: 04.02.2026 23:061 source, 1 articleShow sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
-
ReliaQuest recommends treating .scr files as executables, maintaining an approved RMM allowlist, and blocking non-business file-hosting services.
First reported: 04.02.2026 23:061 source, 1 articleShow sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
Similar Happenings
China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns
Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.