Cybersecurity analysts observed a significant uptick in attacks leveraging ConnectWise ScreenConnect, a widely used remote monitoring and management (RMM) tool, to deliver sophisticated malware in global phishing campaigns.
This wave of malicious activity has primarily targeted financial organizations, relying on deceptive emails built around invoice themes to distribute malware-laden executables.
The underlying threat campaign is associated with the CHAINVERB backdoor, a downloader strongly linked to the financially motivated UNC5952 threat group.
Technical Modus Operandi
Attackers are exploiting vulnerabilities in ConnectWise ScreenConnect (versions 23.9.7 and prior), as initially reported by an independent security researcher.
The latest campaigns involve malicious droppers signed with valid ConnectWise digital certificates, a tactic that enables the executables to bypass many security controls by appearing as legitimate software.
The CHAINVERB downloader cleverly embeds its command-and-control (C2) URLs within digital certificates, providing an added layer of stealth.
Once executed, the malware drops the ConnectWise Control tool, enabling remote access to infected systems.
Threat actors are observed using socially engineered emails, often impersonating trusted business entities and leveraging document-related themes (e.g., invoices, Adobe Reader, Zoom installers) to entice victims into downloading the malicious payloads.
According to CyberProof Report, these emails frequently contain URLs to compromised websites or hosting platforms.
Once downloaded, the malware initiates clandestine remote desktop sessions to attacker-controlled infrastructure, allowing for internal reconnaissance and exfiltration activities, such as screenshot capture and lateral movement.
Key attacks in this campaign have leveraged top-level domains (TLDs) like “.top” and “dns.net” for C2 communications and malware delivery.
For example, analysts detected phishing emails from senders such as “[email protected],” delivering a digitally signed “Download.exe” linked to the domain visionary-clafoutis-308e89[.]netlify[.]app.
The CHAINVERB binary was observed connecting to C2 domains such as kasin22.anondns.net and yertoje.uzhelp.top.
Ongoing Investigation
On May 28, 2025, ConnectWise issued a security advisory acknowledging a potential breach by a nation-state threat group, with ongoing investigations led by Mandiant.
While it remains unclear whether all recent attacks are connected to this incident, the observable trend highlights a persistent risk associated with RMM tool abuse in the wild.
Cyber defenders are strongly encouraged to upgrade to ScreenConnect version 23.9.8 or later, following prescribed upgrade paths to mitigate the risk from the known vulnerabilities.
Further, organizations should rigorously audit usage of RMM software across their environments, implement controls for signed software execution, and train users to recognize phishing attempts.
Additional mitigations include blocking unauthorized remote access, monitoring network logs, and restricting RMM use to secure channels such as VPNs or VDIs.
The continued abuse of ConnectWise ScreenConnect serves as a critical reminder for organizations to prioritize secure remote access tool deployment, robust user awareness, and proactive threat hunting for early detection of evolving threats.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Domain | kasin22.anondns.net | C2 server |
| Domain | yertoje.uzhelp.top | C2 server |
| Domain | www.helpw8.top | Malicious phishing page |
| IP Address | 176.123.10.175 | C2 server |
| Email Sender | [email protected] | Phishing email address |
| File Hash (MD5) | a01a80d8c1f665eda5a81391a1ed0024 | Malicious executable |
| File Hash (SHA-1) | b1568b6001450646e2526f6836ca77cb8b3fc7e0 | Malicious executable |
| File Hash (SHA-256) | d6d75807c23ebfb34eceaa10037f2a911dd50128135cb968811c50b0f1d69eea | Malicious executable |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
