Windows .scr phishing campaign delivering JWrapper RMM access
Campaign
Summary
Hide ▲
Show ▼
The Windows .scr phishing campaign is using business-themed lures to trick users into running screensaver files that install JWrapper and hand attackers interactive remote control. The activity has been seen across multiple customers, showing it is not a one-off lure. The pattern raises the risk of data theft, lateral movement, and later ransomware deployment.
Related Happenings
BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
First: 11.03.2026 00:57
Last: 11.03.2026 00:57
Sources 1
About this happening:
The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
BlackSanta EDR killer malware activity targeting HR departments
Malware ActivityAbout this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign
Campaign
First: 11.02.2026 21:29
Last: 11.02.2026 21:29
Sources 1
About this happening:
**Crazy ransomware gang** is running a **remote-access persistence campaign** that uses legitimate monitoring and support tools to keep footholds inside **corporate networks**, ra...
Crazy ransomware gang Net Monitor for Employees Professional and SimpleHelp persistence campaign
CampaignAbout this happening: **Crazy ransomware gang** is running a **remote-access persistence campaign** that uses legitimate monitoring and support tools to keep footholds inside **corporate networks**, ra...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
Campaign
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Reynolds side-loaded-loader and GotoHTTP ransomware campaign
CampaignAbout this happening: The **Reynolds** ransomware operation now shows **pre-deployment staging** and **post-deployment access tooling**, increasing the likelihood of persistent compromise on the target...
Qilin, Akira and Sinobi late-2025 ransomware wave
Campaign
First: 29.01.2026 15:01
Last: 29.01.2026 15:01
Sources 1
About this happening:
A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Qilin, Akira and Sinobi late-2025 ransomware wave
CampaignAbout this happening: A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Sicarii launches as ransomware-as-a-service on underground forums
Threat Actor Meta
First: 28.01.2026 00:15
Last: 28.01.2026 00:15
Sources 1
About this happening:
**Sicarii** has emerged as a **ransomware-as-a-service** offering advertised on **underground cybercrime forums**, signaling a criminal service launch that can broaden access to t...
Sicarii launches as ransomware-as-a-service on underground forums
Threat Actor MetaAbout this happening: **Sicarii** has emerged as a **ransomware-as-a-service** offering advertised on **underground cybercrime forums**, signaling a criminal service launch that can broaden access to t...
Timeline
-
04.02.2026 23:06 2 articles · 3mo ago
Windows .scr phishing campaign delivers JWrapper RMM access
Initial DisclosureThreat actors used business-themed phishing lures to deliver Windows screensaver files (.scr) from consumer cloud storage, tricking targeted users into running them. The files installed the legitimate remote monitoring and management tool JWrapper, which gave the operators interactive remote control over compromised Windows systems and created opportunities for data theft, lateral movement, and ransomware deployment. The activity was observed across multiple customers, and attribution remained unavailable because the abuse of cloud storage and inconsistent outbound infrastructure did not yield a stable source identifier.
Show sources
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06
- Attackers Use Windows Screensavers to Drop Malware, RMM Tools — www.darkreading.com — 04.02.2026 23:06