Since March 2025, attackers have increasingly abused trojanized ConnectWise ScreenConnect ClickOnce installers to gain initial access to mainly U.S.-based organizations and rapidly deploy multiple RATs, including AsyncRAT, a custom PowerShell RAT, and later PureHVNC. The campaigns use evasive installers that fetch components at runtime, reuse preconfigured Windows Server 2022 VMs, and distribute malicious installers via social engineering with filenames impersonating official documents. #ScreenConnect #AsyncRAT #PureHVNC
Keypoints
- Since March 2025 there has been a surge in attacks leveraging trojanized ClickOnce ScreenConnect installers that fetch configuration at runtime, reducing static-detection efficacy.
- Initial access typically comes from a ClickOnce installer (e.g., agreement_support-pdf.Client.exe) that connects to attacker-controlled ScreenConnect servers such as morco.rovider[.]net.
- Attackers exploit ScreenConnect automation to quickly deploy multiple RATs: AsyncRAT, a custom PowerShell-based RAT, and later PureHVNC, sometimes concurrently.
- The custom PowerShell RAT performs reconnaissance, exfiltration via Microsoft.XMLHTTP, implements obfuscation and encoded payloads, and maintains persistence via startup VBS scripts.
- Two weeks after compromise attackers updated the AsyncRAT infection chain to use encoded .NET assemblies (logs.ldr/logs.ldk) loaded via an Obfuscator.dll and scheduled-task persistence.
- WMI and process hollowing were used to deploy PureHVNC, with the final payload connecting to 169.156.208.185:8020.
- Infrastructure shows reuse of domains (morco.rovider[.]net, gaza.rovider[.]net, lightc.rovider[.]net) and preconfigured Windows Server 2022 VMs (e.g., WIN-BUNS25TD77J), indicating rapid redeployment and possible infrastructure sharing.
MITRE Techniques
- [T1566] Phishing – Attackers distributed malicious ScreenConnect installers via social engineering and likely email phishing, using filenames impersonating official documents (“agreement_support-pdf.Client.exe”, “Social_Security_Statement_Documents_386267.exe”).
- [T1190] Exploit Public-Facing Application (modified on-premises installer) – Attackers used cracked/modified ScreenConnect server installers to create client installers pointing to attacker-controlled servers (“cracked version of the server installer that allowed them to change the server address”).
- [T1219] Remote Services (RMM abuse) – Abuse of ScreenConnect remote monitoring/management capabilities to execute automation and deploy additional payloads (“ScreenConnect automation features … rapidly deploy two remote access trojans”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Multiple stages and RATs were delivered and executed via PowerShell scripts (Skype.ps1, PowerShell-based homemade RAT, loader one-liners). Quote relevant content: ‘…loads pe.txt and 1.txt as .NET assemblies in memory.’
- [T1113] Screen Capture / Credential Access via Remote Services – Use of ScreenConnect grants attacker interactive remote control over compromised systems enabling further actions (installation of malware, lateral movement) as described: ‘…grant the attacker extensive control over the compromised machine.’
- [T1505.003] Server Software Component: Web Shells/Backdoors via Scheduled Tasks and Startup – Persistence achieved using scheduled tasks and startup VBS scripts (e.g., scheduled task “Skype Updater”, Microsoft.vbs and FirefoxUpdate.js in Startup). Quote relevant content: ‘…a scheduled task is created to run Microsoft.vbs … creating a persistence mechanism.’
- [T1055.001] Process Injection: DLL Injection / Process Hollowing – PureHVNC deployment used a .NET DLL implementing process hollowing to inject an assembly into RegAsm.exe which loaded the final payload: ‘…load a .NET DLL implementing process hollowing … inject another .NET assembly into a spawned instance of RegAsm.exe.’
- [T1041] Exfiltration Over C2 Channel – The custom PowerShell RAT beacons system reconnaissance and exfiltrates via Microsoft.XMLHTTP to the C2: ‘This is all then beaconed to the attacker’s C2, using Microsoft.XMLHTTP.’
- [T1027] Obfuscated Files or Information – Attackers used layered obfuscation (long nonsensical identifiers, charcode arrays, base64 .NET assemblies, encoded .NET assemblies logs.ldk/logs.ldr) to evade detection. Quote relevant content: ‘…key payloads … are stored as charcode arrays and only decoded at runtime, and the AMSI bypass is stored as a base64-encoded .NET assembly.’
- [T1036.005] Masquerading: Masquerade as Legitimate Files – Malicious executables were named to resemble official documents to trick users into execution: ‘…executables were typically named to appear as legitimate documents … Social_Security_Statement_Documents_386267.exe’.
Indicators of Compromise
- [IP Addresses] C2 and hosting – 169.156.208.185 (PureHVNC C2), 185.196.9.158 (AsyncRAT C2), 185.196.8.100.
- [Domains] Malicious ScreenConnect servers and infrastructure – morco.rovider[.]net (installer parameter), gaza.rovider[.]net, lightc.rovider[.]net; hosted on stealthrdp[.]com.
- [Mutexes] AsyncRAT mutex strings – AsyncMutex_al026, AsyncMutex_alosh20215 (used by different AsyncRAT instances/configurations).
- [Filenames] Malicious installer and script names – agreement_support-pdf.Client.exe (ClickOnce installer), BypaasaUpdate.bat, Skype.ps1, Microsoft.vbs, FirefoxUpdate.js, NvContainerRecovery.ps1.
- [File hashes] Sample hashes for key items – agreement_support-pdf.Client.exe MD5: 34ED21AC2399CC08BD051A283FD59FC8; Skype.ps1 SHA256: BB182B8545B8C825811C6D09C738C230FE54BC96ADF1F10A3683B7E5294B5289; and other hashes such as logs.ldr A4BF71F9… and PureHVNC RAT 068504CB… (see article for full list).