In-Memory Loader Drops ScreenConnect
In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.
AI Analysis
Technical Summary
This malware campaign employs a VBScript loader that downloads and executes obfuscated PowerShell commands, which compile and run C# code entirely in memory using .NET reflection. The loader manipulates the Process Environment Block (PEB) to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass UAC silently. The attack chain begins with a fraudulent Adobe Acrobat Reader download page designed to deceive users into installing ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The use of in-memory execution and dynamic code construction allows the malware to evade signature-based defenses and hinder forensic investigations. The final payload is ScreenConnect, deployed without user consent to enable unauthorized remote access.
Potential Impact
The attack results in unauthorized installation and execution of ScreenConnect, a legitimate remote access tool, which can be exploited by attackers to gain persistent remote access to compromised systems. The sophisticated evasion techniques reduce the likelihood of detection by traditional signature-based security solutions and complicate forensic analysis, increasing the risk of prolonged undetected compromise. There are no known exploits in the wild reported for this specific attack chain as of the published date.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Patch status is not yet confirmed — check vendor advisories for updates. Mitigation should focus on user education to avoid downloading software from fraudulent websites and monitoring for the presence of ScreenConnect installations that were not authorized. Security teams should consider deploying behavioral detection tools capable of identifying in-memory execution, UAC bypass attempts, and process masquerading. Blocking known malicious URLs and hashes associated with this campaign can also reduce risk.
Indicators of Compromise
- hash: 07720d8220abc066b6fdb2c187ae58f5
- hash: 07f95ff34fb330875d80afadca3f0d5b
- hash: 3d389886e95f00fade1eea67a6c370d1
- hash: 3effadb977eddd4c48c7850c8dc03b13
- hash: a7e5dbec37c8f431d175dfd9352db59f
- hash: c02448e016b2568173de3eedadd80149
- hash: c36910c4c8d23ec93f6ae7d7a2496ce5
- hash: e4b594a18fc2a6ee164a76bdea980bc0
- url: http://eshareflies.im/ad/
- url: http://x0.at/qOfN.msi
- url: https://x0.at/qOfN.msi
- domain: eshareflies.im
In-Memory Loader Drops ScreenConnect
Description
In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This malware campaign employs a VBScript loader that downloads and executes obfuscated PowerShell commands, which compile and run C# code entirely in memory using .NET reflection. The loader manipulates the Process Environment Block (PEB) to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass UAC silently. The attack chain begins with a fraudulent Adobe Acrobat Reader download page designed to deceive users into installing ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The use of in-memory execution and dynamic code construction allows the malware to evade signature-based defenses and hinder forensic investigations. The final payload is ScreenConnect, deployed without user consent to enable unauthorized remote access.
Potential Impact
The attack results in unauthorized installation and execution of ScreenConnect, a legitimate remote access tool, which can be exploited by attackers to gain persistent remote access to compromised systems. The sophisticated evasion techniques reduce the likelihood of detection by traditional signature-based security solutions and complicate forensic analysis, increasing the risk of prolonged undetected compromise. There are no known exploits in the wild reported for this specific attack chain as of the published date.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Patch status is not yet confirmed — check vendor advisories for updates. Mitigation should focus on user education to avoid downloading software from fraudulent websites and monitoring for the presence of ScreenConnect installations that were not authorized. Security teams should consider deploying behavioral detection tools capable of identifying in-memory execution, UAC bypass attempts, and process masquerading. Blocking known malicious URLs and hashes associated with this campaign can also reduce risk.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect"]
- Adversary
- null
- Pulse Id
- 69d8b1848ae30fd4dab9095d
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash07720d8220abc066b6fdb2c187ae58f5 | — | |
hash07f95ff34fb330875d80afadca3f0d5b | — | |
hash3d389886e95f00fade1eea67a6c370d1 | — | |
hash3effadb977eddd4c48c7850c8dc03b13 | — | |
hasha7e5dbec37c8f431d175dfd9352db59f | — | |
hashc02448e016b2568173de3eedadd80149 | — | |
hashc36910c4c8d23ec93f6ae7d7a2496ce5 | — | |
hashe4b594a18fc2a6ee164a76bdea980bc0 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://eshareflies.im/ad/ | — | |
urlhttp://x0.at/qOfN.msi | — | |
urlhttps://x0.at/qOfN.msi | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaineshareflies.im | — |
Threat ID: 69d8ceff1cc7ad14daa9150b
Added to database: 4/10/2026, 10:20:47 AM
Last enriched: 4/10/2026, 10:35:44 AM
Last updated: 5/26/2026, 7:54:57 AM
Views: 236
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.