Threat Actors abuse signed ConnectWise application as malware builder
Essential information
- Published
- 24/06/2025 14:31
- Modified
- 24/06/2025 15:30
- Tags
- 2025-06-24 CVE-2024-1708 CVE-2024-1709 authenticode stuffing certificate abuse connectwise evilconwi fake updates remote access signed malware unauthenticated attributes
- Related entities
- 2 vulnerabilities (cve), 30 observables, 1 intrusion sets (apt), 4 techniques (mitre), 1 malware
Description
Since March 2025, there has been an increase in infections using validly signed ConnectWise samples. Threat actors are exploiting ConnectWise's authenticode stuffing practices to create and distribute their own signed malware. The malicious samples use modified settings in the certificate table to influence critical behavior and user interface elements, such as connection URLs, ports, icons, and messages. This allows attackers to disguise their remote access tools as legitimate software or fake Windows updates. The article provides recommendations for threat detection and prevention, including specific app.config settings to look out for and a YARA rule for detection.