For a good time, just strings that malicious msi you found (https:// oanapolis .com.br/Receipt_9334.msi)..if it's #screenconnect c2 info is at the end...you don't even need to extract or run the thing.

Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR A large-scale malvertising campaign since January 2026 has used Google Ads to lure U.S. tax-searching victims into downloading rogue ConnectWise Control installers that deploy a BYOVD EDR killer called HwAudKiller. The attackers employ stacked cloaking services (Adspect and JustCloakIt) and a legitimately signed Huawei driver (HWAuidoOs2Ec.sys) to blind EDRs, enable LSASS...

A malware campaign since Jan 2026 uses Google Ads with tax search lures to deliver ScreenConnect installers deploying HwAudKiller, a Huawei driver that disables EDRs and enables LSASS credential dumping in the US. #HwAudKiller #ScreenConnect #USA

ScreenConnect™ 26.1 Security Hardening | Security Bulletin ConnectWise has released a security update for ScreenConnect™ that addresses issues related to how server-level cryptographic material is protected. Read more in this security bulletin.

#ScreenConnect had a flaw where attackers could grab the server crypto keys and fake legit sessions. The fix locks those keys behind proper encryption so the gap is safely closed.

ConnectWise patches new flaw allowing ScreenConnect hijacking ConnectWise is warning ScreenConnect customers of a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation.

#ConnectWise patches new flaw allowing #ScreenConnect hijacking

www.bleepingcomputer.com/news/security/connectwis...

#cybersecurity

Critical vulnerability in ScreenConnect (CVE-2026-3564) allows attackers to extract machine keys and hijack sessions. Update to version 26.1 immediately! #CyberSecurity #ScreenConnect #UpdateNow Link: thedailytechfeed.com/critical-scr...

ConnectWise patches new flaw allowing ScreenConnect hijacking ConnectWise has warned that ScreenConnect versions before 26.1 contain a critical cryptographic signature verification vulnerability (CVE-2026-3564) that can expose ASP.NET machine keys and enable unauthorized session authentication and privilege escalation. The vendor patched the issue in ScreenConnect 26.1—cloud instances were auto-upgraded, but on‑premises administrators must update and follow hardening guidance immediately. #ScreenConnect #ConnectWise #CVE-2026-3564 #ASPNetMachineKey

ConnectWise patched a critical flaw (CVE-2026-3564) in ScreenConnect before version 26.1 allowing attackers to extract ASP.NET machine keys, enabling session hijacking and privilege escalation. #ScreenConnect #Cryptography #USA

Malware detonation suggests that the threat actor was likely playing around with ScreenConnect RMM before

It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️

What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪

We track the threat on our platforms as #FakeRMM ⤵️

Rogue #ScreenConnect RMM 🕵️‍♂️

Botnet C2:
📡 no.windowupdateservice .com
📡 relay.windowupdateservice .com
📡193.26.115.51:8041

Payload delivery URL:
🌐 urlhaus.abuse.ch/url/3782937/

Malware sample 📄:
bazaar.abuse.ch/sample/77dc5...

More ScreenConnect RMM IOCs ⤵️
threatfox.abuse.ch/browse/tag/S...

Hackers Abuse ScreenConnect to Hijack PCs via Fake Social Security Emails Hackers are using fake SSA emails and hijacked ScreenConnect tools to bypass Windows security to target UK, US, and Canadian organisations.

📢⚠️ Hackers are hijacking PCs using fake Social Security emails that disable Windows protections and install #ScreenConnect as a remote access backdoor.

Read more: hackread.com/hackers-scre...

#CyberSecurity #Malware #Windows #RAT #CyberAttack

Falsa estensione ClawdBot per VSCode: il malware ora ti controlla da remoto

📌 Link all'articolo : www.redhotcyber.com/post/fal...

#redhotcyber #news #cybersecurity #hacking #malware #vscode #clawdbotagent #accessoRemoto #screenconnect

#screenconnect not connecting? No problem, system.config has you covered:

c2 on this sample is relay.t0up\\.top

Several #malicious #screenconnect msi's at:

https://github\\.com/rindinhgi0

When you distribute your malicious #screenconnect on your c2 🙃

app.any.run/tasks/5e815a05-a047-4010...

Finally saw something when installing those malicious #RMM #screenconnect (at https://mkaos.alwaysdata\\.net/eStatementSsaGov.msi

app.any.run/tasks/399383f4-5ab6-4f53...

Fernwartung ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung In der Fernwartungssoftware Connectwise ScreenConnect können angemeldete Angreifer Schadcode einschleusen. Ein Update steht bereit.

#Fernwartung #ScreenConnect: #KritischeLücke ermöglicht #Schadcodeausführung #ITSecurity #CyberSecurity #Schadcode
heise.de/-11112865

📰 Peretas Gunakan Alat RMM untuk Meretas Sistem Kargo dan Mencuri Pengiriman Barang

👉 Baca artikel lengkap di sini: ahmandonk.com/2025/11/04/hackers-cargo...

#cargo #theft #cybersecurity #freight #pdq #connect #proofpoint #rmm #screenconnect #trucking

Cybercriminals are exploiting ScreenConnect RMM to gain unauthorized access. Stay alert and ensure your systems are updated. #CyberSecurity #RMM #ScreenConnect #Phishing #InfoSec Link: thedailytechfeed.com/threat-actor...

#evil #screenconnect (guess it's just my week) at gofile . io

2ca0dc3544cb47fe391f5203ab0325ed4584255914280ca2377d5aa3ae58c5eb

c2 connectwise\\.fun:8041

Threat Actors Market Stealthy New RAT as Alternative to ScreenConnect FUD Cybersecurity researchers have identified a concerning development in the underground cybercrime marketplace: a sophisticated Remote Access Trojan (RAT).

Threat Actors Market Stealthy New RAT as Alternative to ScreenConnect FUD Cybersecurity researchers have identified a concerning development in the underground cybercrime marketplace: a sophisticat...

#cyber #security #Cyber #Security #News #ScreenConnect

Origin | Interest | Match

Attackers trojanized ConnectWise ScreenConnect installers in exposed open directories to distribute AsyncRAT; observed IOCs include 176.65.139.119 and /Bin/ ClickOnce paths, with dual execution via .NET Assembly.Load or libPK.dll injection. #AsyncRAT #ScreenConnect #RMM https://bit.ly/3Iu93sl

Cybercriminals are exploiting ScreenConnect to deploy AsyncRAT and PowerShell RAT. Stay vigilant and ensure your software is up-to-date. #CyberSecurity #MalwareAlert #ScreenConnect #AsyncRAT Link: thedailytechfeed.com/cybercrimina...

This widely used Remote Monitoring tool is being used to deploy AsyncRAT to steal passwords | TechRadar www.techradar.com/pr...
#cybersecurity #ScreenConnect #AsyncRAT #fileless #malware

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT Hackers exploit ConnectWise ScreenConnect to drop AsyncRAT via scripted loaders, stealing data and persisting with a fake Skype updater.

Attackers are exploiting ConnectWise ScreenConnect to drop AsyncRAT malware, giving remote control over infected systems.
#ConnectWise #ScreenConnect #AsyncRAT #Malware #CyberSecurity #RemoteAccessTrojan #Infosec securityaffairs.com/182090/malwa...

New Fileless Malware Attack Uses AsyncRAT for Credential Theft Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

New investigation reveals attackers used a fileless malware chain via a compromised #ScreenConnect client to deploy AsyncRAT, enabling credential theft, keylogging, and wallet scans.

Read: hackread.com/fileless-mal...

#CyberSecurity #AsyncRAT #Malware #CyberAttack #InfoSec

🚨 ScreenConnect admins under siege

Since 2022, stealthy spear-phishing campaigns target #ScreenConnect super-admins via compromised Amazon SES emails and EvilGinx proxy pages.

Stolen credentials enable lateral movement and #ransomware deployment.

#ransomNews #CredentialHarvest #RMMThreat

Alert: Sophisticated phishing campaign targets ScreenConnect admins to steal credentials. Employs advanced techniques to bypass MFA. Stay vigilant! #CyberSecurity #Phishing #ScreenConnect Link: thedailytechfeed.com/sophisticate...