216.73.217.86

From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect

· Published 19/03/2026 11:00 · Modified 19/03/2026 13:53

Export JSON

Essential information

Published
19/03/2026 11:00
Modified
19/03/2026 13:53
Tags
2026-03-19 evasion loader peb masquerading phishing rmm screenconnect silentconnect uac bypass
Related entities
10 observables, 8 techniques (mitre), 2 malware, 4 others

Description

A newly discovered called is being used in active campaigns to silently install , a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invitation. Upon clicking, a VBScript file is downloaded, which retrieves and executes C# source code in memory using PowerShell. employs various techniques, including and . The campaigns leverage trusted hosting providers like Google Drive and Cloudflare, and abuse living-off-the-land binaries. The has been active since March 2025 and poses a significant threat due to its stealthy nature and effectiveness.

External references