{
  "name": "In-Memory Loader Drops ScreenConnect",
  "slug": "in-memory-loader-drops-screenconnect",
  "description": "In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.",
  "published": "2026-04-10T08:15:00.129000+00:00",
  "created_at": "2026-04-10T10:07:47.028000+00:00",
  "modified_at": "2026-04-10T08:07:47+00:00",
  "created_at_opencti": "2026-04-10T10:07:47.028000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "com abuse",
    "in-memory execution",
    "peb manipulation",
    "powershell staging",
    "remote access tool",
    "screenconnect",
    "uac bypass",
    "vbscript loader"
  ],
  "tags": [
    "2026-04-10",
    "com abuse",
    "in-memory execution",
    "peb manipulation",
    "powershell staging",
    "remote access tool",
    "screenconnect",
    "uac bypass",
    "vbscript loader"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "26190e90-ffd0-4842-8944-d28d1a215076",
        "name": "http://x0.at/qOfN.msi"
      },
      {
        "id": "73c3a1cd-011b-4d3f-bb47-7b822f910fb6",
        "name": "http://eshareflies.im/ad/"
      },
      {
        "id": "ee4462ee-8959-4728-b321-7d9d80118cce",
        "name": "eshareflies.im"
      },
      {
        "id": "519c63da-c11d-4eae-a898-e3f413f03dcc",
        "name": "https://x0.at/qOfN.msi"
      }
    ],
    "attack_patterns": [
      {
        "id": "6bbf9c38-fb41-4198-b363-2d402b3e43a3",
        "name": "T1134.002"
      },
      {
        "id": "840f859f-575f-487e-8083-6ffd01a13a84",
        "name": "T1218.007"
      },
      {
        "id": "d048ac4b-dd28-4c66-b62b-fe25cefef481",
        "name": "T1548.002"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0192fd78-09e3-4fe4-a9d3-38a7137e15fa",
        "name": "T1055.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      }
    ],
    "malware": [
      {
        "id": "b9a94179-fee8-4a2e-bcfb-ce9c0dd34433",
        "name": "ScreenConnect",
        "slug": "screenconnect"
      }
    ],
    "observables": [
      {
        "id": "e7ca3d2f-ea64-4514-91d6-44b63a9f62ed",
        "name": "eshareflies.im"
      },
      {
        "id": "d219dbe2-8146-4d55-8402-924578c2f3d6",
        "name": "https://x0.at/qOfN.msi"
      },
      {
        "id": "2c19448f-49da-47aa-a1f4-805160bbb4cd",
        "name": "http://eshareflies.im/ad/"
      },
      {
        "id": "2815a46d-cc36-4ef1-a02f-361eaddfa20f",
        "name": "http://x0.at/qOfN.msi"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "eshareflies.im"
      }
    ]
  },
  "external_refs": [
    {
      "id": "1d4f75c5-d4ed-497a-85e4-4147a320daf5",
      "standard_id": "external-reference--95edd511-1b9b-56cf-8f63-5f3c8188ea23",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect",
      "hash": null,
      "external_id": null,
      "created": "2026-04-10T10:07:46.966Z",
      "modified": "2026-04-10T10:07:46.966Z",
      "createdById": null
    },
    {
      "id": "e9ef55f2-d3d9-4987-acbe-22a9a0d7ca25",
      "standard_id": "external-reference--ef94eb74-ace6-5b94-a350-e8e7dcfd61b8",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69d8b1848ae30fd4dab9095d",
      "hash": null,
      "external_id": "69d8b1848ae30fd4dab9095d",
      "created": "2026-04-10T10:07:46.936Z",
      "modified": "2026-04-10T10:07:46.936Z",
      "createdById": null
    }
  ]
}