Threat Actors Exploit ScreenConnect Installers for Initial Access

A marked escalation in the abuse of ConnectWise ScreenConnect installers since March 2025, with U.S.-based businesses bearing the brunt of these incursions.

Adversaries are now deploying lightweight ClickOnce runner installers—devoid of embedded configurations—to evade static detection, fetching malicious components at runtime.

Post-installation, attackers automate the rapid deployment of two distinct remote access trojans (RATs): the publicly available AsyncRAT and a bespoke PowerShell-based RAT.

Within weeks, the campaign evolves further, leveraging batch and VBS loaders to deliver encoded .NET assemblies.

Distribution relies heavily on phishing lures masquerading as financial or official documents, while the reuse of preconfigured Windows Server 2022 VMs accelerates infrastructure rotation.

Defenders should rigorously monitor RMM tool usage and scrutinize all ScreenConnect deployments

Over recent months, Acronis TRU (Threat Research Unit) has documented a tracked multiple coordinated campaigns exploiting trojanized ConnectWise ScreenConnect installers to infiltrate corporate networks.

The attack is likely ...