{
  "name": "ScreenConnect Attack: SmartScreen Bypass and RMM Abuse",
  "slug": "screenconnect-attack-smartscreen-bypass-and-rmm-abuse",
  "description": "An attack campaign targeting organizations in the US, Canada, UK, and Northern Ireland exploits ConnectWise ScreenConnect vulnerabilities. The attack chain begins with a spoofed email containing a malicious .cmd attachment, which executes silently, escalates privileges, disables Windows SmartScreen, and removes the Mark-of-the-Web. It then installs a legitimate Remote Monitoring and Management tool, ScreenConnect, which is abused as a Remote Access Trojan for persistent command-and-control access. The campaign focuses on sectors with high-value data, including government, healthcare, and logistics. The attackers use various techniques to evade detection, including UAC bypass, registry modification, and silent MSI installation. The ScreenConnect client used has a revoked certificate, highlighting the importance of blocking vulnerable software versions and enforcing strict RMM allowlists.",
  "published": "2026-02-12T09:39:02+00:00",
  "created_at": "2026-02-12T09:39:02+00:00",
  "modified_at": "2026-02-12T20:53:47+00:00",
  "created_at_opencti": "2026-02-12T09:39:02+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-12",
    "phishing",
    "privilege-escalation",
    "remote access trojan",
    "rmm abuse",
    "screenconnect",
    "smartscreen bypass",
    "social engineering",
    "uac bypass"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "b8100e5ab07983cbf82d721cf719576ca3f60e352628dcaabd42d428011fdedf"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United Kingdom of Great Britain and Northern Ireland"
      },
      {
        "id": "",
        "name": "Canada"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Transport"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "dof-connect.top"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/698dadc62e15016f807eaccc",
    "https://www.forcepoint.com/blog/x-labs/screenconnect-attack"
  ]
}