EvilConwi Unmasked: Hackers Weaponize Signed ConnectWise ScreenConnect Installers for Malware Deployment
A cybercriminal group has begun exploiting the popular ConnectWise ScreenConnect software to craft malware bearing a legitimate digital signature, thereby enabling the covert installation of remote access tools on victims’ devices. This alarming tactic was uncovered by researchers at G DATA, who identified a novel method of abusing the digital signing mechanism embedded within the ScreenConnect installer.
ConnectWise ScreenConnect is a remote administration tool widely adopted by IT administrators and service providers for diagnostics and system configuration. However, its flexible configuration options—including the ability to embed server addresses, dialog text, and even branding elements—presented an unexpected attack vector. These parameters are stored within the Authenticode signature, a section of the file used to verify authenticity. The attackers have learned to manipulate this section, substituting their own values while preserving the validity of the signature, thus making the malicious software appear wholly legitimate.
This technique, now dubbed “Authenticode stuffing,” allows attackers to implant malicious configurations into the certificate table without disrupting the signature structure. As a result, standard verification mechanisms fail to flag the altered files as suspicious, treating them as genuine software.
According to G DATA, initial cases surfaced on the BleepingComputer forum, where users reported infections following phishing emails. Similar complaints soon emerged on Reddit. In these campaigns, victims were lured through counterfeit PDF files or spoofed Canva pages that redirected them to malicious installers hosted on Cloudflare R2 servers.
One such file, titled “Request for Proposal.exe,” was in fact a disguised version of ScreenConnect, preconfigured to automatically connect to a threat actor’s server at 86.38.225[.]6:8041. To deepen the deception, attackers modified the appearance of the installer, replacing the standard interface with a fake Windows Update window, complete with the program title spoofed to read “Windows Update.”
To the unsuspecting user, this appeared to be a routine system update, while in reality it facilitated the silent installation of a fully operational remote access tool, granting attackers unfettered control over the compromised device.
G DATA has since developed its own tool to analyze such tampered installers. Their investigation revealed substantial alterations to embedded parameters, confirming the targeted and sophisticated nature of these attacks.
Following G DATA’s report, the digital certificate used in the malicious builds was revoked. The malware has been classified under signatures such as Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. However, G DATA noted that ConnectWise has yet to issue a formal response to the findings.
In a related campaign, another enterprise-grade tool, SonicWall NetExtender, was also weaponized. Attackers distributed trojanized VPN clients that, once installed, exfiltrated login credentials to a remote server. SonicWall has confirmed the attacks and reiterated the importance of downloading software exclusively from official sources to mitigate such risks.
These incidents underscore an emerging and troubling trend: adversaries are no longer merely crafting counterfeit software—they are artfully modifying legitimate tools to embed malicious capabilities, preserving outward legitimacy and thus complicating detection and defense.
