This malware campaign employs a VBScript loader that downloads and executes obfuscated PowerShell commands, which compile and run C# code entirely in memory using .NET reflection. The loader manipulates the Process Environment Block (PEB) to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass UAC silently. The attack chain begins with a fraudulent Adobe Acrobat Reader download page designed to deceive users into installing ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The use of in-memory execution and dynamic code construction allows the malware to evade signature-based defenses and hinder forensic investigations. The final payload is ScreenConnect, deployed without user consent to enable unauthorized remote access.

The attack results in unauthorized installation and execution of ScreenConnect, a legitimate remote access tool, which can be exploited by attackers to gain persistent remote access to compromised systems. The sophisticated evasion techniques reduce the likelihood of detection by traditional signature-based security solutions and complicate forensic analysis, increasing the risk of prolonged undetected compromise. There are no known exploits in the wild reported for this specific attack chain as of the published date.

No official patch or vendor advisory is available for this threat. Patch status is not yet confirmed — check vendor advisories for updates. Mitigation should focus on user education to avoid downloading software from fraudulent websites and monitoring for the presence of ScreenConnect installations that were not authorized. Security teams should consider deploying behavioral detection tools capable of identifying in-memory execution, UAC bypass attempts, and process masquerading. Blocking known malicious URLs and hashes associated with this campaign can also reduce risk.