Observed phishing URLs delivering RMM payload
Phishing campaigns have been observed using URLs related to ScreenConnect to deliver remote monitoring and management (RMM) payloads. These phishing emails commonly impersonate DocuSign to lure victims into interacting with malicious links. The threat involves social engineering to distribute malware via phishing.
AI Analysis
Technical Summary
This threat involves phishing URLs that leverage ScreenConnect infrastructure to deliver RMM payloads to victims. The phishing emails frequently use DocuSign-themed lures to increase credibility and entice users to click the malicious links. The campaign is categorized as malware delivery via phishing but does not specify exploitation of a vulnerability in ScreenConnect itself. There is no indication of active exploits in the wild beyond the phishing activity.
Potential Impact
Successful interaction with the phishing URLs may result in the delivery and execution of RMM malware on the victim's system, potentially allowing attackers to remotely monitor and manage compromised machines. This can lead to unauthorized access and control over affected systems. The impact is limited to victims who fall for the phishing attempt.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign rather than a software vulnerability. Defenders should focus on user awareness training to recognize phishing attempts, implement email filtering to block malicious URLs, and monitor for suspicious ScreenConnect-related activity. Since this is not a vulnerability in ScreenConnect software itself, no software patch is required.
Indicators of Compromise
- url: https://vy.ijnggpi.com/ftx/
- url: https://web-g63lkz.screenconnect.com/Bin/ScreenConnect.ClientSetup.msi
- hash: a30a9779079dc897a15fed27f27f614fab77a20e953368808ba99ac6c6a3375b
Observed phishing URLs delivering RMM payload
Description
Phishing campaigns have been observed using URLs related to ScreenConnect to deliver remote monitoring and management (RMM) payloads. These phishing emails commonly impersonate DocuSign to lure victims into interacting with malicious links. The threat involves social engineering to distribute malware via phishing.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves phishing URLs that leverage ScreenConnect infrastructure to deliver RMM payloads to victims. The phishing emails frequently use DocuSign-themed lures to increase credibility and entice users to click the malicious links. The campaign is categorized as malware delivery via phishing but does not specify exploitation of a vulnerability in ScreenConnect itself. There is no indication of active exploits in the wild beyond the phishing activity.
Potential Impact
Successful interaction with the phishing URLs may result in the delivery and execution of RMM malware on the victim's system, potentially allowing attackers to remotely monitor and manage compromised machines. This can lead to unauthorized access and control over affected systems. The impact is limited to victims who fall for the phishing attempt.
Mitigation Recommendations
No official patch or fix is applicable as this is a phishing campaign rather than a software vulnerability. Defenders should focus on user awareness training to recognize phishing attempts, implement email filtering to block malicious URLs, and monitor for suspicious ScreenConnect-related activity. Since this is not a vulnerability in ScreenConnect software itself, no software patch is required.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/patialavii/status/2068919332126835122"]
- Adversary
- null
- Pulse Id
- 6a3ae5bf02925732fd075068
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://vy.ijnggpi.com/ftx/ | — | |
urlhttps://web-g63lkz.screenconnect.com/Bin/ScreenConnect.ClientSetup.msi | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha30a9779079dc897a15fed27f27f614fab77a20e953368808ba99ac6c6a3375b | — |
Threat ID: 6a3ae7f2eed863c81e8e5f4f
Added to database: 06/23/2026, 20:09:22 UTC
Last enriched: 06/23/2026, 20:24:06 UTC
Last updated: 06/23/2026, 22:23:42 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.