A rise in cyber-attacks exploiting remote monitoring and management (RMM) tools for initial access via phishing has been observed by cybersecurity researchers.
According to the new findings from the DarkAtlas research project, advanced persistent threat (APT) groups are abusing popular RMM platforms, including AnyDesk, ConnectWise ScreenConnect and Atera, to gain unauthorized control of systems.
While AnyDesk has become easier to detect, leading many attackers to move away from it, ScreenConnect has recently gained traction among adversaries.
Developed by ConnectWise, ScreenConnect is designed to let IT administrators deploy tasks, manage devices and provide remote support across multiple operating systems, including Windows, macOS, Linux, iOS and Android.
The researchers found that threat actors are exploiting ScreenConnect’s legitimate features, such as unattended access, VPN functionality, REST API integration and file transfer, to establish persistence and move laterally within compromised networks.
How Attackers Abuse ScreenConnect
During installation, the ScreenConnect client runs mainly in memory, leaving few traces on disk and evading basic antivirus scans.
The research noted that attackers use the platform’s management console to generate custom URLs or invite links – tools originally meant to simplify remote access. These links are often repurposed for phishing, luring victims into unknowingly installing malicious ScreenConnect clients.
Once deployed, the client binary, commonly named ScreenConnect.WindowsClient.exe, registers as a Windows service, providing persistent remote connectivity.
Investigators also found that configuration files such as user.config and system.config store hostnames, IP mappings and encrypted keys, which can be used to trace connections to suspicious domains.
Read more on remote access tool exploitation: Phishing Campaigns Drop RMM Tools for Remote Access
Implications For Defenders
The DarkAtlas research identified key event logs generated by ScreenConnect during operation, including Security Event ID 4573 and Application Log events 100 and 101.
These provide valuable indicators for digital forensics and incident response teams. Interestingly, chat data between operators and victims is not stored on disk but in memory, making memory acquisition essential during investigations.
The report concludes that the strengths of ScreenConnect as a legitimate RMM platform – its flexibility and broad system access – are also what makes it so appealing to attackers.
To counter these threats, defenders should closely monitor:
As the DarkAtlas research emphasized, understanding and detecting these subtle signs of ScreenConnect misuse is vital for effective digital forensics and incident response (DFIR) and threat hunting.
