ScreenConnect Abuse Surges in Rogue Access Campaigns

ScreenConcerned: When Your IT Tool Becomes Their Backdoor 

Summary 

ScreenConnect is rapidly becoming the remote access tool of choice for threat actors. What the Blackpoint SOC once observed as a landscape dominated by NetSupport for persistence and backdoor access has shifted. ScreenConnect now leads in malicious usage across multiple campaigns.

So, why the pivot to ScreenConnect? In this blog, we’ll break down the key factors behind its rise in popularity, the industry sectors being targeted, recent campaigns observed by our SOC, and most importantly, how to identify, respond to, and prevent these intrusions. To date, we’ve observed ~167  confirmed ScreenConnect related incidents just this past year, and that number continues to grow as adoption increases in both legitimate and malicious contexts. 

Why 

ScreenConnect is a legitimate Remote Monitoring and Management (RMM) tool commonly used by Managed Service Providers (MSPs) due to its ease of deployment and minimal configuration requirements. It provides full remote control over endpoints, making it an invaluable tool for IT support, but a dangerous weapon in the wrong hands. 

When left unmonitored, ScreenConnect offers threat actors a stealthy, persistent foothold. It supports full remote access, payload deployment, lateral movement, encrypted communications, and background execution, all without triggering obvious alarms. 

Because it’s frequently found in enterprise environments, its presence often flies under the radar. This makes it an ideal tool for adversaries utilizing “living off the land” techniques, blending in with legitimate infrastructure. Its low cost and accessibility further reduce the barrier to entry. 

The threat has escalated with CVE-2025-3935, a high-severity vulnerability in versions 25.2.3 and earlier. This ViewState injection flaw in ASP.NET Web Forms could allow Remote Code Execution (RCE), adding another layer of risk to unpatched deployments. 

In short, ScreenConnect’s blend of legitimacy, stealth, affordability, and exploitation potential has helped cement its place as a go-to utility for attackers. It is increasingly critical for organizations to ensure they are running patched versions and closely monitor unauthorized use across the environment. 

Recent Campaigns 

Recently, the Blackpoint SOC has observed a rise in social engineering campaigns abusing ScreenConnect to gain unauthorized access to victim environments. These attacks rely on convincing lures and minimal malware, instead installing ScreenConnect under the radar using clever delivery techniques. Once active, the threat actor gains persistent, hands-on access to the compromised host. 

One variant of this campaign involves fake Zoom meeting invitations delivered via phishing emails. The lure tricks the user into believing their Zoom client requires an update to join the meeting. Upon clicking the link, the user is served a malicious ScreenConnect binary and unknowingly installs the remote access tool. While EDR or AV may generate alerts, the installation often succeeds if application controls or endpoint policies are not properly enforced. Once running, the rogue ScreenConnect instance reaches out to a command and control (C2) server, giving the attacker full remote control. 

A second variation involves spoofed Social Security Administration (SSA) documents delivered as malicious attachments. When the user opens the document, it leverages DotNet ClickOnce to install ScreenConnect as a trusted Windows application, bypassing typical user prompts and appearing benign to many security solutions. This method avoids using suspicious macros or scripts, instead abusing a native Windows deployment mechanism to deliver the payload. 

In both cases, Blackpoint’s Managed Application Control (MAC), when configured in blocking mode, serves as a critical control to prevent execution of unauthorized ScreenConnect instances. As threat actors increasingly turn to legitimate software for malicious purposes, layered defenses and strict application controls are essential to stop abuse before it results in data loss or lateral movement. 

Incidents 

Kill Chain:

Tech Scam: 

In this incident, a remote support scammer tricks the user into downloading a harmful program disguised as help “support.client.exe”. While browsing in Chrome, the user is told (often by phone, email, or chat) to visit a website and download a file. This file uses a built in Windows feature called ClickOnce to quietly install a remote access tool (ScreenConnect) in an unusual location on the computer (c:\users\*username*\appdata\local\apps\2.0\..). Once installed, the threat actor gets full control of the machine through a hidden ScreenConnect session. 

Financial fraud attacks that deliver payloads (xworm):

For this incident, a user abused screenconnect to execute a batch script. This spawned a command prompt that executed a base 64 malicious encoded powershell. (View picture 1 for encoded and decoded ps1 script) Started off with a statement executable then installed a rogue ScreenConnect Session. Call outs to a german C2 was observed, Xworm was dropped. 

The encoded powershell session then calls upon a batch script which then concatenates several files to piece together the final payload. The ending result is Xworm being deployed as well as C2 connections to Moldova. 

Picture 1: 

Enumeration: 

For this incident, a malicious ScreenConnect session was dropped onto this compromised endpoint. This spawns a command prompt to run a script associated with a specific ScreenConnect session (or deployment). This script enumerates domain trusts, attempts to get the dc for this domain, and lists all the members part of domain admins group in current AD domain. If you look after “Guest&h=” ( for the first line of ScreenConnect.ClientService.exe, it’s noticed that the associated IP for this session is 91.200.14[.]29 and is connecting on port 8041. 

IOCs 

Threat actors frequently leverage cheap and easily obtainable Top-Level Domains (TLDs) to host Command and Control (C2) infrastructure for rogue ScreenConnect installations. These TLDs are often chosen for their low cost, minimal registration requirements, and reputation for weak abuse enforcement, allowing malicious infrastructure to remain active longer without takedown. Here are some of the most commonly observed TLDs in these campaigns: 

• .top   
• xyz
• .org
• .info
• .live
• .us
• .win
• .cc
• .es
• .ru
• .stream
• .buzz
• .cloud
• .de
• .help
• .link
• .pro
• .site
• .cyou
• .icu
• .is
• .online

Sectors  

Industries that routinely handle sensitive information are prime targets for rogue ScreenConnect delivery via email campaigns. The Blackpoint SOC has observed consistent targeting across the following sectors: 

• Law firms
• Financial services 
• Construction companies
• Automotive dealerships
• Healthcare providers
• Real estate agencies

Threat Hunting

Following the surge in rogue ScreenConnect deployments, the Blackpoint SOC initiated proactive threat hunts across our partner environments to identify and contain any unauthorized remote access activity. This hunt focused on detecting ScreenConnect processes initiated with specific command-line parameters, particularly the “h=” argument, which defines the remote host the client should connect to. By parsing command-line telemetry at scale, we were able to surface a high volume of ScreenConnect sessions and filter for suspicious behavior. 

Through this methodology, we identified over 75 rogue ScreenConnect instances attempting to connect to low-reputation or anomalous top-level domains (TLDs), often tied to recently registered infrastructure with no legitimate business ties. Many of these domains appeared to be single-use or part of throwaway campaigns, designed to quickly establish access and evade detection. Using these findings, we were able to directly reach out to affected partners and provide guidance for response and remediation, while simultaneously building new internal detections to flag potentially rogue ScreenConnect instances moving forward. 

This threat hunting initiative highlights how adversaries increasingly rely on living-off-the-land techniques and legitimate tools to avoid traditional defenses. It also reinforces the importance of deep process inspection, behavioral hunting, and domain reputation analysis in detecting modern threats that often slip past conventional AV and EDR tools. 

How To Prevent  

Blackpoint’s Managed Application Control (MAC) is a highly effective defense against unauthorized ScreenConnect activity. When configured in Blocking mode, MAC can automatically prevent the execution of unapproved ScreenConnect binaries and generate real-time alerts for the SOC. 

In MSP-managed environments, administrators can pre-approve known good ScreenConnect instance IDs through the portal. Any execution tied to an unapproved ID will then be blocked by default. If MAC is not deployed, it becomes critical to manually verify the instance IDs and associated domains (see reference image A) to confirm alignment with legitimate infrastructure. 

Additional best practices include: 

• Monitoring network traffic and firewall logs for outbound connections to unfamiliar IP addresses, particularly around the time of suspected compromise. 
• Auditing install paths. Legitimate installations typically reside in system-level directories. If ScreenConnect is found in user-level paths like Downloads, AppData, or alongside suspicious script files (e.g., .ps1 droppers), treat it as a potential indicator of compromise.  
• Hardening detection rules within AV/EDR solutions to flag ScreenConnect installs, especially if unsigned or launched from non-standard locations. 
• Prioritizing user education. Train end users to be skeptical of unexpected emails, especially those prompting downloads or triggering background activity without clear intent. 

By combining automated controls, vigilant monitoring, and user awareness, organizations can significantly reduce the risk of ScreenConnect being abused as a remote access foothold.