SOC Prime Bias: Medium

05 Jan 2026 14:56 UTC

Rogue ScreenConnect: Common Social Engineering Tactics We Saw in 2025

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Rogue ScreenConnect: Common Social Engineering Tactics We Saw in 2025
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Threat actors are delivering malicious ScreenConnect (remote monitoring and management) clients through social‑engineering lures such as fake Social Security statements, invitation letters and invoice documents. The lures are distributed via phishing emails and malicious web pages, leading victims to download renamed ScreenConnect executables. Once installed, the rogue RMM provides the attacker with persistent remote access to the compromised host.

Investigation

Huntress observed dozens of incidents between January and September 2025 where renamed ScreenConnect binaries were executed on endpoints in multiple industries. The SOC collected associated domain names, IP addresses and file hashes, noting repeated use of dynamic DNS services and specific lure naming patterns. Detailed log analysis showed the malicious client contacting attacker‑controlled domains for command‑and‑control.

Mitigation

Organizations should strengthen security awareness training to spot fake statements, invoices and invitation files. Continuous monitoring of remote access tools, restricting execution of unsigned RMM binaries and auditing network connections to known malicious domains are recommended. Keep RMM software patched and whitelist only authorized instances.

Response

Upon detection of a renamed ScreenConnect executable, isolate the endpoint, collect the binary and associated network traffic, and block the C2 domain at the firewall. Perform a forensic analysis to identify persistence mechanisms and lateral movement, then remediate compromised accounts and reset credentials.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An attacker crafts a phishing email with an attachment named Social_Security_Statement_redacted.exe that actually contains a legitimate ScreenConnect installer (or any payload). The victim, believing it to be a personal finance document, double‑clicks the file. The OS launches the executable, producing a process‑creation event where the Image field ends with the malicious filename. This exact pattern matches the Sigma rule and should raise an alert.

  • Regression Test Script:

    # --------------------------------------------------------------
    # Simulation script – triggers the "Rogue ScreenConnect" rule
    # --------------------------------------------------------------
    
    # 1. Prepare a benign payload (e.g., calc.exe) and rename it
    $src = "$env:SystemRootSystem32calc.exe"
    $dst = "$env:TempSocial_Security_Statement_redacted.exe"
    
    Copy-Item -Path $src -Destination $dst -Force
    
    # 2. Optionally set hidden attribute to mimic evasion (T1564.004)
    attrib +h $dst
    
    # 3. Execute the renamed payload (simulating user click)
    Start-Process -FilePath $dst
    
    # 4. Wait briefly to ensure logging
    Start-Sleep -Seconds 5
    
    # 5. Output confirmation
    Write-Host "Executed $dst – should generate detection telemetry."
  • Cleanup Commands:

    # Remove the malicious‑looking executable and clear attribute
    $file = "$env:TempSocial_Security_Statement_redacted.exe"
    if (Test-Path $file) {
        attrib -h $file
        Remove-Item -Path $file -Force
        Write-Host "Cleanup complete: $file removed."
    } else {
        Write-Host "File not found; nothing to clean."
    }

End of Report