ScreenConnect RMM Abuse: 25+ Weaponized Installers, Amadey Loader Delivery, and 4 OVH Relay Servers Mapped in One-Week Campaign Surge

TL;DR: Breakglass Intelligence identified a surge of ScreenConnect cloud abuse across at least 25 MSI installers uploaded to MalwareBazaar in a single week (March 3-9, 2026). Five samples were fully analyzed, revealing 5 independently provisioned attacker-controlled cloud instances routing through 4 OVH US relay servers. None of the MSIs are trojanized -- they carry a legitimate, currently valid ConnectWise DigiCert code signing certificate, making them invisible to signature-based defenses. Delivery mechanisms include the Amadey malware-as-a-service loader and social engineering lures impersonating the U.S. Social Security Administration and Zoom. A parallel ZoomWorkspace variant links to FranTech/Cloudzy phishing infrastructure with a OneDrive impersonation domain.

---

Why This Matters

ScreenConnect (ConnectWise Control) is one of the most widely deployed Remote Monitoring and Management (RMM) tools in the world. It is trusted by IT departments, managed service providers, and help desks across every industry. That trust is exactly what makes it devastating when abused.

The campaign documented here does not exploit a vulnerability in ScreenConnect. It exploits ScreenConnect's business model. Threat actors create free trial accounts on ConnectWise's cloud platform, generate custom MSI installers pre-configured to connect back to their attacker-controlled instances, and distribute them to victims. The resulting installer is legitimately built and signed by ConnectWise, LLC. It passes SmartScreen. It passes Authenticode verification. It installs a legitimate Windows service. Every binary in the package is stock ConnectWise software.

The only thing that changes between a legitimate ScreenConnect deployment and a weaponized one is the embedded relay server configuration -- a few hundred bytes buried inside the MSI properties.

The Attack Chain

DELIVERY                  EXECUTION                 PERSISTENCE               C2
+-------------------+     +-------------------+     +-------------------+     +-------------------+
| Amadey Loader     |     | msiexec.exe       |     | Windows Service   |     | ScreenConnect     |
| Social Eng Lure   | --> | (Trusted Binary)  | --> | (Auto-start)     | --> | Cloud Relay       |
| (SSA-Statement,   |     | installs MSI      |     | ScreenConnect     |     | (OVH US LLC)      |
|  ZoomWorkspace)   |     | with valid sig    |     | Client Service    |     | Port 443          |
+-------------------+     +-------------------+     +-------------------+     +-------------------+

Stage 1: Delivery

Three distinct delivery vectors were observed across the analyzed samples:

Amadey Loader -- The sample 4d2494... was tagged dropped-by-Amadey on MalwareBazaar. Amadey is a well-documented malware-as-a-service botnet, primarily operated by Russian-speaking actors, that accepts "tasks" from customers to deploy additional payloads on already-compromised machines. This confirms at least one operator is purchasing botnet distribution services to push ScreenConnect installers onto pre-infected endpoints -- the victim never sees the MSI file at all.

SSA-Statement.msi -- This lure impersonates the U.S. Social Security Administration. The filename alone ("SSA-Statement") is designed to trigger urgency in American victims expecting government correspondence. The embedded t= parameter contains the name Thomas_Matulesi, suggesting this is a targeted spearphishing operation against a specific individual rather than a mass-distribution campaign.

ZoomWorkspace.msi -- This variant impersonates Zoom videoconferencing software. It links to broader phishing infrastructure hosted on FranTech/Cloudzy at 144[.]172[.]100[.]57, with an associated OneDrive impersonation domain (1drv[.]ms[.]arihk[.]com) indicating a more sophisticated operator with dedicated phishing infrastructure.

Stage 2: Execution via Trusted Binary

All samples execute through msiexec.exe, a built-in Windows system binary. The MSI is signed with a valid ConnectWise code signing certificate (DigiCert, issued February 20, 2026), so there is no SmartScreen warning, no Authenticode failure, and no antivirus alert from the installation itself.

Stage 3: Persistence

ScreenConnect installs as a Windows service with auto-start enabled and failure recovery set to restart. It also:

• Registers in SafeBoot (HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (*)) -- ensuring it runs even in Safe Mode
• Registers a Windows Authentication Package in the LSA configuration -- loading its DLL into the LSASS process
• Registers as a Windows Credential Provider (CLSID {6FF59A85-BC37-4CD4-...})
• Registers a custom URL protocol (sc-XXXXXXXX://) for one-click reconnection

This is enterprise-grade persistence. It survives reboots, Safe Mode, and most remediation attempts that do not specifically target the ScreenConnect service registration.

Stage 4: Command and Control

The installed client connects to a ScreenConnect cloud relay server over port 443 using a proprietary protocol (not standard HTTPS). The relay connection uses RSA-2048 key exchange for encryption. Once connected, the operator has full remote desktop access, file transfer, command execution, and session recording capabilities -- all through ConnectWise's legitimate infrastructure.

Infrastructure Analysis

Five Instances, Four Relay Servers, One Provider

All ScreenConnect cloud relay servers in this campaign resolve to OVH US LLC dedicated servers. Two of the five instances share a single relay server, suggesting either resource consolidation by one operator or coincidental relay assignment by ConnectWise's provisioning system.

Instance ID	Relay Server	Relay IP	Session Tag	First Seen
instance-lssdvv	server-ovh30010009-relay	15[.]204[.]166[.]75	c=flag	2026-03-09
instance-i3onzo	server-ovh30020022-relay	15[.]204[.]48[.]34	(empty)	2026-03-09
instance-q6uelv	server-ovh60020016-relay	15[.]235[.]97[.]45	t=Thomas_Matulesi	2026-03-07
instance-y9neh7	server-ovh60020016-relay	15[.]235[.]97[.]45	(empty)	2026-03-06
instance-ig2xes	server-ovh30020014-relay	15[.]204[.]43[.]247	c=chunnc	2026-03-03

Relay Architecture

ConnectWise ScreenConnect cloud instances use a relay-based architecture that routes all traffic through ConnectWise-managed infrastructure:

Victim Endpoint
    |
    v
instance-XXXXXX-relay.screenconnect.com (CNAME)
    |
    v
server-ovhXXXXXXXX-relay.screenconnect.com (CNAME)
    |
    v
OVH US Dedicated Server (15.204.x.x / 15.235.x.x)
    |
    v
Attacker's ScreenConnect Console

This means the attacker's actual IP address never appears in the victim's network traffic. All connections route through ConnectWise's domain and OVH's IP space. From a network defense perspective, the traffic is indistinguishable from a legitimate ScreenConnect deployment without instance-level allowlisting.

Network Infrastructure

IP	ASN	Provider	Purpose	Status
15[.]204[.]166[.]75	OVH US (OUL-16)	OVH Dedicated	ScreenConnect Relay	LIVE
15[.]204[.]48[.]34	OVH US (OUL-16)	OVH Dedicated	ScreenConnect Relay	LIVE
15[.]235[.]97[.]45	OVH US (OUL-16)	OVH Dedicated	ScreenConnect Relay (shared)	LIVE
15[.]204[.]43[.]247	OVH US (OUL-16)	OVH Dedicated	ScreenConnect Relay	LIVE
144[.]172[.]100[.]57	FranTech (SYNDI-5)	Cloudzy	ZoomWorkspace phishing infra	LIVE

MSI Analysis: Identical Binaries, Different Configs

All five analyzed samples are 10,121,216 bytes (9.65 MB). TLSH fuzzy hashing confirms they are built from the exact same ScreenConnect version (v25.9.12.9552) with only the embedded configuration changing:

Sample 1 (lssdvv):  T18CA6232153F9D028E0F35B35EE7AD165AA32BE618E12C15F1354780E39B1E8196B373B
Sample 2 (i3onzo):  T1FCA6232153F9D028E0F35B35EE7AD165AA32BE618E12C15F1354780E39B1E8196B373B
SSA (q6uelv):       T15AA6232153F9D028E0F35B35EE7AD165AA32BE618E12C15F1354780E39B1E8196B373B
Amadey (y9neh7):    T165A6232153F9D028E0F35B35EE7AD165AA32BE618E12C15F1354780E39B1E8196B373B
Chile (ig2xes):     T100A6232153F9D028E0F35B35EE7AD165AA32BE618E12C15F1354780E39B1E8196B373B
                     ^^^-- only difference (config delta)

The configuration is embedded in the SERVICE_CLIENT_LAUNCH_PARAMETERS MSI property. The key parameters:

Parameter	Description	Example Value
e	Session Type	Access
y	Session Role	Guest
h	Relay Hostname	instance-lssdvv-relay[.]screenconnect[.]com
p	Relay Port	443
k	RSA-2048 Public Key	Unique per instance
c	Session Group	flag, chunnc, or empty
t	Session Name / Operator Tag	Thomas_Matulesi or empty

Each instance has a unique RSA-2048 keypair (Microsoft PUBLICKEYBLOB format), confirming all five were independently provisioned through ConnectWise's cloud platform.

Code Signing Certificate

Field	Value
Subject	C=US, ST=Florida, L=Tampa, O=ConnectWise, LLC, CN=ConnectWise, LLC
Issuer	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Serial	01dddbc6e9163d407d980a3eaf798528
Valid	2026-02-20 through 2027-02-19
Thumbprint	e1db8670d34a3d8099b9815c9772b37025a7b5d1845ec5256eb22dad7e196725

This is not a stolen certificate. It is ConnectWise's legitimate, currently valid code signing certificate. The MSIs are generated by ConnectWise's own build system and signed as part of the normal provisioning process. This is what makes RMM abuse fundamentally different from traditional malware -- the binary is not malicious. The account is.

Sample Details

SHA256	Filename	Instance	Delivery	Origin
824c9bd950fe5116b503f0f9fa9c17e7ba09464ed6e5b4450ab4354d67259607	ScreenConnect.ClientSetup.msi	lssdvv	Unknown	US
96a41ae0f5d9c14fb505c506862a6e7947f5a20dd705f48aaa133ba0513dd3aa	ScreenConnect.ClientSetup3.msi	i3onzo	Unknown	US
411fae02a3fa0960c0142e04a3401803f722b934dbee1130b3203c656ae93ba7	SSA-Statement.msi	q6uelv	Social engineering	US
4d24949840cbe6127c1a949786a10fd526693cb8ae286be0da8fcd776f635387	(unnamed)	y9neh7	Amadey loader	US
cceee71fd3161c6e939762bfba9de09e96e54d6cb771d02b3f9f3b761576c8ea	ScreenConnect.ClientSetup.msi	ig2xes	Unknown	CL

Additional related samples from the broader campaign:

SHA256	Filename	Notes
90876b3f9084e0679aac234e57dc9d82c4b09121dc3de6852491d84f85ad5f6e	ZoomWorkspace.msi	FranTech/Cloudzy infrastructure
c2a0820c49e988c291f0d7b24105da595546674e3a164b424546df13919ed33a	hw5yt.msi	Random filename variant

Attribution: Multiple Actors, One Technique

This is not a single coordinated campaign. The evidence points to multiple independent threat actors all exploiting the same ScreenConnect cloud abuse technique simultaneously:

• 5 different RSA keypairs = 5 independently provisioned instances
• Different delivery mechanisms -- Amadey loader (Russian-speaking cybercrime ecosystem) vs. social engineering lures vs. unknown distribution
• Different targeting -- US, Chile, Spain
• Different operator conventions -- session groups flag, chunnc, and Thomas_Matulesi suggest different operational styles
• 25+ samples in one week on MalwareBazaar alone -- this volume across different filenames, sizes, and certificate versions indicates a widespread technique, not a single actor

The Amadey connection is significant. Amadey is a well-known MaaS botnet primarily operated by Russian-speaking actors. Its integration with ScreenConnect delivery confirms that RMM abuse has been productized within the Russian-speaking cybercrime ecosystem -- operators can purchase Amadey distribution tasks to silently deploy ScreenConnect onto pre-infected machines.

Operator Indicators

Indicator	Source	Assessment
Thomas_Matulesi	t= parameter in SSA-Statement.msi	Likely victim/target name, not operator
chunnc	c= session group in Chile sample	Possible operator handle or campaign ID
flag	c= session group in sample 1	Generic test label, suggests development/testing
fbf543	MalwareBazaar tag on Amadey-dropped sample	Possible Amadey campaign ID

The Broader Wave

The five samples analyzed here are a fraction of a much larger surge. In the period March 3-9, 2026, at least 25 ConnectWise-tagged samples were uploaded to MalwareBazaar, including:

• Multiple MSIs using ScreenConnect v25.9.12.9552 (current certificate)
• MSIs using an older certificate (serial 0abbca120c79810a182f72f89c04358f, valid 2025-2028)
• Social engineering filenames: SSA-Statement.msi, ZoomWorkspace.msi, Mr3!26.msi, hw5yt.msi
• An ATO.zip archive (potentially Australian Tax Office impersonation) containing ScreenConnect
• A VBS dropper (3804769b61f6f1ab0a26ed25da9e01a0.vbs) tagged with ConnectWise
• Size variations from 5 MB to 15 MB indicating different ScreenConnect versions

This is not a new technique. Researcher Gi7w0rm reported the instance instance-p3rfvx-relay[.]screenconnect[.]com to ThreatFox as botnet C2 on December 13, 2025 (IOC #1677536). But the current volume -- 25+ samples in a single week -- represents a significant acceleration.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Attachment	T1566.001	SSA-Statement.msi delivered as social engineering lure
Execution	User Execution: Malicious File	T1204.002	Victim executes the MSI installer
Execution	System Binary Proxy Execution: Msiexec	T1218.007	msiexec.exe installs the ScreenConnect agent
Persistence	Create or Modify System Process: Windows Service	T1543.003	ScreenConnect Client Service (auto-start, failure recovery)
Persistence	Boot or Logon Autostart Execution	T1547	SafeBoot registration, LSA Authentication Package
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Valid ConnectWise DigiCert certificate
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Renamed to SSA-Statement.msi, ZoomWorkspace.msi
Command and Control	Remote Access Software	T1219	ScreenConnect provides full remote desktop + file transfer
Command and Control	Encrypted Channel: Asymmetric Cryptography	T1573.002	RSA-2048 key exchange for relay encryption

Detection Opportunities

The Core Problem

You cannot block ScreenConnect by hash -- every MSI is unique (different config, different hash). You cannot block by signature -- the certificate is legitimate. You cannot block the relay IPs -- they are shared ConnectWise infrastructure serving legitimate customers. You have to detect at the instance level.

Instance Allowlisting

The single most effective defense is maintaining an allowlist of approved ScreenConnect instance IDs. Any ScreenConnect service registration, DNS query, or network connection referencing an instance not on the allowlist should generate an alert.

Monitor for:

• DNS queries to instance-*-relay.screenconnect.com where * is not an approved instance
• New service registrations matching ScreenConnect Client (*) with unknown instance IDs
• Registry modifications to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (*)
• LSA Authentication Package additions referencing ScreenConnect.WindowsAuthenticationPackage.dll

Filename Anomalies

The stock filename is ScreenConnect.ClientSetup.msi. Any ScreenConnect MSI with a non-standard filename -- especially one impersonating government agencies (SSA-Statement), productivity software (ZoomWorkspace), or using random strings (hw5yt) -- is almost certainly malicious.

Installation Context

Legitimate ScreenConnect deployments are installed by IT staff through approved channels during maintenance windows. Flag ScreenConnect MSI files that arrive via:

• Email attachments
• Browser downloads from non-ConnectWise domains
• Execution by other processes (especially known loaders like Amadey)
• Installation outside of change management windows

Hunting Queries

YARA -- Generic ScreenConnect Cloud Abuse Detection

rule ScreenConnect_MSI_Abused_Instance_Generic {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "Detects ScreenConnect MSI installers configured with cloud relay instances"
        tlp = "TLP:CLEAR"
        mitre = "T1219"
    strings:
        $msi_header = { D0 CF 11 E0 A1 B1 1A E1 }
        $sc_relay = "instance-" ascii wide
        $sc_relay2 = "-relay.screenconnect.com" ascii wide
        $sc_param_e = "e=Access" ascii wide
        $sc_param_y = "y=Guest" ascii wide
        $sc_param_h = "h=instance-" ascii wide
        $sc_service = "ScreenConnect.ClientService" ascii wide
    condition:
        $msi_header at 0 and
        $sc_relay and $sc_relay2 and
        $sc_param_e and $sc_param_y and
        ($sc_service) and
        filesize > 5MB and filesize < 20MB
}

YARA -- Known Abused Instances (March 2026)

rule ScreenConnect_Abused_Instances_March2026 {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        description = "Detects MSIs configured for known abused ScreenConnect instances"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $inst1 = "instance-lssdvv-relay.screenconnect.com" ascii wide
        $inst2 = "instance-i3onzo-relay.screenconnect.com" ascii wide
        $inst3 = "instance-q6uelv-relay.screenconnect.com" ascii wide
        $inst4 = "instance-y9neh7-relay.screenconnect.com" ascii wide
        $inst5 = "instance-ig2xes-relay.screenconnect.com" ascii wide
    condition:
        uint32(0) == 0xE011CFD0 and any of ($inst*)
}

Suricata -- ScreenConnect Relay DNS Monitoring

# Alert on DNS queries to known abused ScreenConnect relay instances
alert dns any any -> any any (msg:"BREAKGLASS ScreenConnect Abused Instance lssdvv"; \
  dns.query; content:"instance-lssdvv-relay.screenconnect.com"; nocase; \
  classtype:trojan-activity; sid:2026030901; rev:1;)

alert dns any any -> any any (msg:"BREAKGLASS ScreenConnect Abused Instance i3onzo"; \
  dns.query; content:"instance-i3onzo-relay.screenconnect.com"; nocase; \
  classtype:trojan-activity; sid:2026030902; rev:1;)

alert dns any any -> any any (msg:"BREAKGLASS ScreenConnect Abused Instance q6uelv"; \
  dns.query; content:"instance-q6uelv-relay.screenconnect.com"; nocase; \
  classtype:trojan-activity; sid:2026030903; rev:1;)

alert dns any any -> any any (msg:"BREAKGLASS ScreenConnect Abused Instance y9neh7"; \
  dns.query; content:"instance-y9neh7-relay.screenconnect.com"; nocase; \
  classtype:trojan-activity; sid:2026030904; rev:1;)

alert dns any any -> any any (msg:"BREAKGLASS ScreenConnect Abused Instance ig2xes"; \
  dns.query; content:"instance-ig2xes-relay.screenconnect.com"; nocase; \
  classtype:trojan-activity; sid:2026030905; rev:1;)

# Generic hunting rule -- all ScreenConnect relay DNS queries
alert dns any any -> any any (msg:"BREAKGLASS ScreenConnect Cloud Relay DNS (Hunting)"; \
  dns.query; content:"-relay.screenconnect.com"; nocase; \
  classtype:policy-violation; sid:2026030910; rev:1;)

# Social engineering MSI filenames over HTTP
alert http any any -> any any (msg:"BREAKGLASS Suspicious MSI - SSA-Statement Lure"; \
  flow:established,to_client; http.uri; content:"SSA-Statement"; nocase; \
  classtype:trojan-activity; sid:2026030912; rev:1;)

alert http any any -> any any (msg:"BREAKGLASS Suspicious MSI - ZoomWorkspace Lure"; \
  flow:established,to_client; http.uri; content:"ZoomWorkspace"; nocase; \
  classtype:trojan-activity; sid:2026030913; rev:1;)

KQL -- Microsoft Defender / Sentinel

// ScreenConnect service installations not on allowlist
DeviceRegistryEvents
| where RegistryKey has "SafeBoot\\Network\\ScreenConnect Client"
| where RegistryKey !has "APPROVED_INSTANCE_ID_HERE"
| project Timestamp, DeviceName, RegistryKey, RegistryValueData

// ScreenConnect relay DNS queries
DeviceNetworkEvents
| where RemoteUrl has "-relay.screenconnect.com"
| where RemoteUrl !has "YOUR-APPROVED-INSTANCE"
| summarize count() by RemoteUrl, DeviceName, bin(Timestamp, 1h)

// MSI execution with suspicious filenames
DeviceProcessEvents
| where FileName == "msiexec.exe"
| where ProcessCommandLine has_any ("SSA-Statement", "ZoomWorkspace", "ATO.zip")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName

Indicators of Compromise

Abused ScreenConnect Relay Domains

instance-lssdvv-relay[.]screenconnect[.]com
instance-i3onzo-relay[.]screenconnect[.]com
instance-q6uelv-relay[.]screenconnect[.]com
instance-y9neh7-relay[.]screenconnect[.]com
instance-ig2xes-relay[.]screenconnect[.]com

Relay Server IPs

15[.]204[.]166[.]75
15[.]204[.]48[.]34
15[.]235[.]97[.]45
15[.]204[.]43[.]247

Related Infrastructure

144[.]172[.]100[.]57  (FranTech/Cloudzy - ZoomWorkspace phishing)
1drv[.]ms[.]arihk[.]com  (OneDrive impersonation domain)

File Hashes (SHA256)

824c9bd950fe5116b503f0f9fa9c17e7ba09464ed6e5b4450ab4354d67259607
96a41ae0f5d9c14fb505c506862a6e7947f5a20dd705f48aaa133ba0513dd3aa
411fae02a3fa0960c0142e04a3401803f722b934dbee1130b3203c656ae93ba7
4d24949840cbe6127c1a949786a10fd526693cb8ae286be0da8fcd776f635387
cceee71fd3161c6e939762bfba9de09e96e54d6cb771d02b3f9f3b761576c8ea
90876b3f9084e0679aac234e57dc9d82c4b09121dc3de6852491d84f85ad5f6e
c2a0820c49e988c291f0d7b24105da595546674e3a164b424546df13919ed33a

Embedded PE Hashes

0377c319fe8d131f0b47ec81a0982ea73bccec9252f2303c1adbea72712cb133  ScreenConnect.InstallerActions.dll
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852  WixCA.dll
cdbf0016c1b152dfc04ece6a1854f2138b48ca94ce2413c0ffe063d270d15ad4  embedded.cab

Code Signing Certificate

Serial:      01dddbc6e9163d407d980a3eaf798528
Thumbprint:  e1db8670d34a3d8099b9815c9772b37025a7b5d1845ec5256eb22dad7e196725
Subject:     ConnectWise, LLC (Tampa, FL)
Issuer:      DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Valid:       2026-02-20 to 2027-02-19

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 5 samples analyzed in depth. 25+ samples identified in the broader wave. All relay servers confirmed live at time of publication. Classification: TLP:CLEAR