Since March 2025, there has been a rise in malware infections using validly signed ConnectWise software abused by threat actors through Authenticode stuffing. Attackers manipulate ConnectWise configurations to disguise remote access malware with fake icons and messages, evading detection by many antivirus products. #EvilConwi #ConnectWise #AuthenticodeStuffing
Keypoints
- Infections involving ConnectWise signed samples surged from March 2025, linked to misuse of valid ConnectWise installers.
- Threat actors exploit Authenticode stuffing—adding unauthenticated attributes—to alter signed executables without breaking their signature.
- Malicious ConnectWise samples embed configurations that fake Windows update screens and modify icons to conceal remote access activity.
- Common infection vectors include phishing emails with OneDrive or Canva links and fake installers disguised as popular software.
- Most antivirus solutions failed to detect these modified ConnectWise samples as malware as of May 2025.
- Threat detection can leverage suspicious app.config settings that disable user alerts about active remote connections.
- ConnectWise revoked the signing certificate used for these samples after being notified in June 2025, but no official statement has been released.
MITRE Techniques
- [T1137] Transfer Data to Cloud Account – Phishing emails with OneDrive links redirect users to malicious downloads (‘a phishing email with a OneDrive link that promises to show a large document’).
- [T1027] Obfuscated Files or Information – Use of Authenticode stuffing to embed unauthenticated attributes allowing modifications without invalidating signatures (‘Authenticode stuffing is deliberate misuse of the certificate structure that allows modifications to an executable without invalidating its signature’).
- [T1190] Exploit Public-Facing Application – Exploitation of ConnectWise vulnerabilities CVE-2024-1708 and CVE-2024-1709 linked to ransomware activity in early 2024.
- [T1566] Phishing – Use of social engineering emails with links to fake installers and Canva pages to trick users into running malicious software (‘maliciously crafted ConnectWise sample originated from a website offering an AI-based image converter advertised on Facebook’).
- [T1071] Application Layer Protocol – Remote connections using manipulated launch parameters that hide user indicators such as tray icons or wallpapers (‘app.config disables several indicators which would alert a user that ConnectWise is present like a tray icon or a black wallpaper’).
Indicators of Compromise
- [File Hashes] Malicious ConnectWise and fake installer samples – e.g. 7287a53167db901c5b1221137b5a1727390579dffd7098b59e6636596b37bc27, 7180238578817d3d62fd01fe4e52d532c8b3d2c25509b5d23cdabeb3a37318fc, and over 30 additional hashes.
- [Domains/URLs] Phishing and malicious download hosting – bookinginvoiceview.top (used in launch parameters), Canva.com (hosting malicious samples).
- [File Names] Fake installers and loaders – ZoomInstallerFull.exe, OneDriveSetup.exe, MicrosoftExcel.ClientSetup.exe, Adobe-Update-ClientSetup.wSZQ5iHP.exe.part.
- [Configuration Files] Embedded in malicious samples – app.config, system.config, Client.Override.en-US.resources (contain fake UI elements and connection settings).
Read more: https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware