Hackers Are Using a Fake ScreenConnect to Deliver Multiple RATs

by ddos · September 10, 2025

In recent months, specialists at Acronis TRU have observed a surge in attacks where adversaries deploy counterfeit installers of ConnectWise ScreenConnect to gain initial access into the networks of American companies. This strategy reflects a growing criminal trend: the abuse of legitimate remote administration tools, which grant attackers full control of systems under the guise of routine IT support.

Instead of conventional installers, attackers now rely on lightweight ClickOnce packages. Unlike earlier versions, these contain no embedded configuration; instead, they retrieve the necessary components at runtime. This approach significantly complicates static analysis and deprives security tools of their usual indicators.

The intrusion typically begins with an executable disguised as a financial or legal document. Once launched, the ScreenConnect installer connects the victim’s machine to a command-and-control server hosted on a VPS tied to stealthrdp.com and domains such as morco.rovider[.]net. These spoofed server builds can generate clients pre-configured with attacker-controlled addresses, all while preserving an appearance of legitimacy.

Following installation, ScreenConnect triggers a chain of scripts that, within minutes, deliver two distinct remote access trojans. The first is AsyncRAT, a well-known tool used both in penetration testing and in criminal operations.

Its deployment is initiated by a batch file named BypaasaUpdate.bat, which downloads an archive containing AsyncRAT, an AMSI bypass, and persistence mechanisms. Persistence is maintained via a PowerShell script (Skype.ps1) that uses a VBS wrapper and scheduled tasks to reinitialize AsyncRAT every minute. While noisy, this ensures survival in the system even if the process is terminated.

Almost simultaneously, a custom PowerShell RAT is delivered. This second implant gathers system details, enumerates antivirus products via WMI, communicates with the C2 server using Microsoft.XMLHTTP, and can execute additional scripts or binaries. The code employs obfuscation tactics: meaningless function names, payloads stored as character arrays, and AMSI bypasses encoded in Base64. Researchers note this RAT does not appear in public repositories, suggesting it was crafted in-house to evade signature-based detection.

Two weeks later, operators modified the AsyncRAT delivery chain. Now it arrives via a VBS file (MicrosoftUpdate.vbs) that downloads two encrypted .NET assemblies. One, Obfuscator.dll, ensures persistence and loads the second—the core AsyncRAT binary. The updated sample used a different mutex and ports 4501–4503 while continuing to connect to the same C2 server at 185.196.9.158.

Subsequently, researchers discovered deployment of a third tool: PureHVNC RAT. Delivered through a PowerShell script (NvContainerRecovery.ps1) triggered by WMI, it was injected using Process Hollowing into RegAsm.exe. From there, PureHVNC connected to a C2 server at 169.156.208.185:8020, with persistence ensured via VBS-based autoruns.

Further infrastructure analysis revealed multiple domains tied to the fake ScreenConnect installers—gaza.rovider.net, lightc.rovider.net, and others—hosted on the same stealthrdp.com servers. These were used to distribute different malware families, including XWorm and DCRat. To enhance credibility, malicious files were disguised as official documents with names such as Social_Security_Statement_Documents, SSA Document Viewer, or Business Schedule Organizer.

Notably, the same preconfigured Windows Server 2022 virtual machines with RDP enabled and ScreenConnect servers installed were reused across campaigns. Hosts bearing identical names—WIN-BUNS25TD77J and COPY-OF-VM-2022—surfaced under different IP addresses, indicating the attackers relied on prepared images for rapid redeployment.

These campaigns demonstrate that adversaries not only combine multiple RATs within a single environment but also continuously rotate their tooling and infrastructure, complicating detection. The principal conclusion from Acronis experts is clear: organizations must rigorously monitor the use of RMM software, especially ScreenConnect, and scrutinize every instance of deployment to prevent attackers from silently entrenching themselves within corporate networks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal