BreakglassIntelligence
Back to reports
highPhishing

The ScreenConnect Epidemic: Inside a Live Spanish-Language Invoice Campaign With a Panel Still Serving Payloads

Legitimately signed ConnectWise installers, a VBS dropper with reversed ASCII obfuscation, and an attacker panel we caught mid-operation

PublishedMarch 12, 2026
Threat Actors:ProfileAssessmentTimelines Continue to Exploit ScreenConnect (RMM tool abuse trend)
phishingamadeyratsocial-engineeringc2rmm-abuseppi

ScreenConnect abuse has hit epidemic levels. In the past week alone, MalwareBazaar received 25+ ConnectWise-tagged samples from multiple unrelated threat actors. We caught one of them mid-operation.

The attacker's panel at 80.76.49[.]161:8040 was still live and serving malicious installers when we found it. ScreenConnect v25.8.3.9466, running on a Virtuo Networks France VPS provisioned just seven days before the campaign launched. The server's RDP certificate — created March 4 — leaked the hostname WIN-GD8GO4H15UD. An older hostname, WIN-6MUH29N9UJB, showed up in historical Shodan MSRPC data. That's two machines this operator has burned through.

The Lure: "Factura" Means Invoice

Six samples tie to this cluster, spanning three social engineering themes:

  • Factura.rar/Factura.msi — Spanish-language invoice lure targeting Latin American businesses
  • Statement_05574_2026-3.exe — English financial statement for US/UK targets
  • Scan_Document_xlsx.vbs — Generic document lure, the most interesting sample in the set

The dual-language targeting from identical infrastructure is notable. This isn't a regionally focused crew — they're casting wide.

The VBS Dropper: Reversed ASCII Obfuscation

The VBS dropper (cd3152f3) uses a technique worth documenting. The entire payload is stored as a reversed array of ASCII character codes. The function name ChrW is reconstructed from the array ["W","r","h","C"] evaluated in reverse. The script iterates the array backward to rebuild itself, then executes via ExecuteGlobal.

Once decoded, the behavior is straightforward:

  1. Checks for admin privileges — if not elevated, re-launches with ShellExecute "runas" for UAC elevation
  2. Downloads hxxp://80.76.49[.]161:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest via PowerShell Net.WebClient
  3. Silent install: msiexec /i "%TEMP%\installer556.msi" /qn
  4. Waits 5 seconds, deletes the MSI — basic anti-forensics

The Trust Problem: Legitimately Signed Binaries

Here's what makes ScreenConnect abuse particularly insidious: the EXE and MSI installers carry valid ConnectWise, LLC code signing certificates issued by DigiCert. The attacker didn't modify the binaries — they configured relay server parameters at install generation time on the ScreenConnect panel, then exported standard installers. The code signing remains intact.

Certificate serial 01:DD:DB:C6:E9:16:3D:40:7D:98:0A:3E:AF:79:85:28, valid through February 2027. Every signature check passes. Every allowlist that trusts ConnectWise will wave this through.

The only distinguishing feature is the relay server configuration embedded inside: 80.76.49[.]161:8041 for the self-hosted instance, plus three ConnectWise Cloud relays (instance-jsdbls, instance-wj25xo, instance-rith2x).

Four Relay Servers, One Actor

All samples are configured with e=Access&y=Guest — persistent unattended access, not temporary support sessions. ScreenConnect installs as an auto-starting Windows service.

Relay ServerTypeSample
80.76.49[.]161:8041Self-hostedFactura.msi
instance-jsdbls-relay.screenconnect[.]com:443CloudScreenConnect.ClientSetup.msi
instance-wj25xo-relay.screenconnect[.]com:443CloudScreenConnect.ClientSetup.exe
instance-rith2x-relay.screenconnect[.]com:443CloudStatement_05574_2026-3.exe

The attacker is hedging — if the self-hosted relay gets blocked, three cloud instances provide fallback through ConnectWise's own infrastructure. Blocking the raw IP doesn't neutralize the campaign.

The Bigger Picture: An RMM Abuse Epidemic

This is one campaign in a wave. Our MalwareBazaar pivot uncovered at least five unrelated actors abusing ScreenConnect in the same week:

  • A Portuguese "ORCAMENTO" (budget) lure targeting Brazil
  • Amadey botnet dropping ScreenConnect installers
  • An AdobeReader VBS dropper using a compromised WordPress site
  • Multiple "ZoomWorkspace" fake installers
  • Additional SSA financial statement lures that may be related to our cluster

Legitimate RMM tools are becoming the initial access vector of choice. The binaries are trusted, the infrastructure is cloud-hosted, and the only reliable detection point is the relay server URL embedded in the installer.

IOCs

Primary Infrastructure:

  • 80.76.49[.]161 — ScreenConnect panel (:8040) and relay (:8041)
  • instance-jsdbls-relay.screenconnect[.]com
  • instance-wj25xo-relay.screenconnect[.]com
  • instance-rith2x-relay.screenconnect[.]com

Sample Hashes (SHA256):

  • f6cc0e58544b195ff09bdfdcd74a83b754682670d1bd4d264704c31ede0c208b — Factura.rar
  • 180b959eaecaa6c410af4f4445befcde5947a537ec396196fda014258625e2dd — Factura.msi
  • ff93759e80f3c471fa164b1d228d6f40d6632546d3fbe96e9bfe75ba591d92db — Statement_05574_2026-3.exe
  • cd3152f3d8ff824027549d4ef43a2cb9b42bb004e139a7911fdf79844be75e95 — Scan_Document_xlsx.vbs

OPSEC Leaks:

  • WIN-GD8GO4H15UD — Current RDP hostname
  • WIN-6MUH29N9UJB — Historical hostname
  • ScreenConnect instance scheme: sc-018f2826ff618efb

Detection Guidance

Network-level detection is the most reliable approach:

  1. Monitor for ScreenConnect relay connections to non-corporate instances — alert on any instance-*-relay.screenconnect.com connections that don't match your organization's known instances
  2. Block 80.76.49[.]161 at the firewall
  3. Hunt for msiexec /qn silent installs of ScreenConnect MSIs, especially when spawned by wscript.exe or powershell.exe
  4. Audit installed ScreenConnect services — check the relay server URL in the service configuration against your authorized instances
  5. VBS dropper detection: Look for ExecuteGlobal combined with ChrW array reconstruction patterns in email attachments
Share