The ScreenConnect attack campaign leverages a multi-stage attack chain targeting organizations primarily in North America and parts of the UK. It starts with a spoofed phishing email containing a malicious .cmd script attachment that executes silently upon opening. This script escalates privileges on the victim machine, disables Windows SmartScreen—a security feature designed to block untrusted applications—and removes the Mark-of-the-Web attribute to prevent warning prompts. Subsequently, the attackers install ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) tool, but abuse it as a Remote Access Trojan (RAT) to maintain persistent command-and-control (C2) access. The ScreenConnect client used in this campaign carries a revoked digital certificate, which indicates the attackers are using outdated or compromised software versions to evade detection. The attackers employ multiple evasion techniques including User Account Control (UAC) bypass, registry modifications to disable security features, and silent MSI installations to avoid user awareness and security alerts. The campaign focuses on sectors with sensitive and high-value data such as government, healthcare, and logistics, which are attractive targets for espionage or ransomware. The use of a legitimate RMM tool complicates detection because such software is often whitelisted or trusted in enterprise environments. Indicators of compromise include specific file hashes and a malicious domain (dof-connect.top). Although no known public exploits are reported, the campaign demonstrates advanced social engineering and privilege escalation tactics, highlighting the need for strict controls around RMM tools and email security.

For European organizations, particularly those in government, healthcare, and logistics sectors, this threat poses significant risks. The abuse of a legitimate RMM tool like ScreenConnect allows attackers to gain persistent, stealthy remote access, potentially leading to data exfiltration, espionage, or ransomware deployment. Disabling SmartScreen and bypassing UAC reduces the effectiveness of built-in Windows security controls, increasing the likelihood of successful compromise. The stealthy installation and execution methods hinder detection by traditional endpoint security solutions. Given the targeting of UK and Northern Ireland, European organizations with similar profiles or using ScreenConnect are at risk. The impact includes potential loss of confidentiality of sensitive data, disruption of critical services, and reputational damage. The campaign’s focus on high-value sectors aligns with strategic interests in Europe, where healthcare and government data protection are heavily regulated. The use of revoked certificates and social engineering complicates incident response and forensic investigations. Overall, the threat could lead to significant operational and financial consequences if not mitigated effectively.

1. Enforce strict allowlisting policies for Remote Monitoring and Management (RMM) tools, permitting only verified and up-to-date versions of ScreenConnect and similar software. 2. Implement advanced email filtering and phishing detection mechanisms to block spoofed emails and malicious attachments, especially .cmd files. 3. Monitor and restrict the use of scripts and MSI installers that execute silently or modify system settings. 4. Enable and enforce Windows SmartScreen and UAC policies without exceptions; investigate any attempts to disable these features. 5. Regularly audit installed software certificates and block execution of binaries signed with revoked or untrusted certificates. 6. Employ endpoint detection and response (EDR) solutions capable of detecting privilege escalation, registry modifications, and unusual RMM tool behaviors. 7. Conduct user awareness training focused on phishing and social engineering tactics used to deliver malicious attachments. 8. Maintain comprehensive logging and monitoring of RMM tool usage and network connections to detect anomalous command-and-control activity. 9. Segment networks to limit lateral movement from compromised endpoints, especially in critical sectors. 10. Collaborate with threat intelligence providers to update detection signatures and indicators of compromise (IOCs) such as the provided hashes and domains.