Updated 4/25/2025
A rapidly escalating campaign is exploiting ConnectWise ScreenConnect (formerly ConnectWise Control), a widely used remote-support tool, to distribute legitimate client software misused to connect to attacker-controled servers. According to threat-intelligence data from Maltiverse, over 1,300 new Indicators of Compromise (IoCs) mimicking ScreenConnect download paths and binaries have emerged since mid-April 2025. This alert provides a detailed summary of the activity surge, identifies key infrastructure patterns, and offers guidance for detection, hunting, and mitigation to help organizations protect themselves against this evolving threat.
How the Threat Works
The attackers employ belowmethod to exploit ConnectWise ScreenConnect, leveraging social engineering to achieve their goals:
- Distribution ScreenConnect Clients for malicious purposes:
- Tactic: Threat actors leverage legitimate, digitally signed ConnectWise ScreenConnect client software, reconfigured to connect to attacker-controlled servers (e.g., connect-004.controlhub.es). These servers are illicitly operated by malicious actors for nefarious purposes. Attackers may target organizations’ own ScreenConnect servers through common tactics such as phishing, credential harvesting, exploiting unpatched software flaws or other known misconfigurations (e.g. 2FA not enabled, Not restricted to corp network).
- Delivery: These clients are distributed through phishing emails, compromised websites, or social-engineering tactics that trick users into downloading and installing them under the guise of legitimate remote-support tools.
- Impact: Upon execution, the client establishes a connection to the attacker’s controlled infrastructure, granting remote access to the victim’s system. This enables data theft, deployment of additional malware, or lateral movement across the network.
EDR Detection Struggles
The use of legitimate, signed ScreenConnect clients creates significant challenges for EDR systems:
- Trusted Signature: The valid ConnectWise signature (likely issued by a reputable CA like DigiCert) allows the client to bypass signature-based detection, as EDRs generally trust signed binaries from known vendors.
- Normal Behavior: The client’s core functionality (e.g., remote desktop, session establishment) is indistinguishable from legitimate use, reducing the likelihood of behavioral alerts.
- Configuration-Based Attack: The malicious behavior stems from the server connection (connect-004.controlhub.es), not the client’s code, making it difficult for EDR to flag the binary itself. EDR must monitor network connections or server reputations, which requires up-to-date threat intelligence.
Living Off the Land
This attack methodology is a prime example of adversaries “Living off the Land” (LotL), or perhaps more precisely, “Living off Trusted Software/Sites.” Instead of deploying custom malware for command and control, the attackers leverage a legitimate, widely used, and trusted remote administration tool: ScreenConnect (ConnectWise Control). By embedding malicious configuration into a ScreenConnect client and tricking users into installing it via phishing, they hijack the software’s inherent capabilities for remote access, file transfer, and command execution. This approach offers significant advantages for evasion: the malicious traffic blends seamlessly with legitimate ScreenConnect activity, potentially bypassing classic security tools that whitelist or have lower scrutiny for known remote access software. This case shows how the network is the principal way to detect this type of attack. The attacker must connect with the client and in this point the network IOC is relevant to alert to the malicious activity.
Understanding these attack vectors—deceptive client distribution and server exploitation—enables organizations to tailor their defenses effectively against this dual-pronged threat.
Key Observations
# | Indicator / Pattern | Details & Impact |
1 | Malicious TLD Concentration | The .top TLD dominates with 1,005 IoCs, followed by .com (352) and .de (122), highlighting attackers’ preference for disposable, low-cost domains. |
2 | Sub-domain Farming on Single “Parent” Domains | Attackers register a single domain and generate numerous sub-domains to host fake clients. Top offenders include: • innocreed[.]com — 193 sub-domains • controlhub[.]es — 30 • ratoscreenco[.]com — 15 • screensconnectpro[.]com — 12 This “domain-burst” tactic maximizes payload distribution while minimizing costs and evading reputation-based detection. |
3 | Heavy Use of ASN AS210558 (1 Services GmbH) | Malicious IPs cluster in AS210558, indicating reliance on a VPS provider with potentially weak abuse oversight. |
Example IoCs
Type | Example | Notes |
URL | https://work[.]innocreed[.]com/bin//support.client.exe?i=&e=Support&y=Guest&r= | One of 193 malicious sub-domains under innocreed.com. |
Domain | Parent domain hosting 15 malicious sub-domains. | |
IP | Malicious IPv4 that resolves a hostname tied to ScreenConnect abuse. | |
Hash | Support[.]client[.]exe 1d5195c858b1fb7f3b8193705bb9aec4f224d000cdaf546f27cb29eed6ea7865 | SHA256 binary with malicious configuration |
A comprehensive, regularly updated IoC list is available on Maltiverse.
Last year, ConnectWise Screen Connect 23.9.7 and prior suffered two critical vulnerabilities, CVE-2024-1708 and CVE-2024-1709, related to Authentication Bypass via path-traversal vulnerability, which could allow an attacker to execute remote code or directly affect sensitive data or critical systems. These vulnerabilities were fixed in subsequent releases. Lumu created a tool to check if your infrastructure is vulnerable to the aforementioned CVEs.
Detection & Hunting Guidance
- Network & Proxy Logs:
Search for URLs ending in support.client.exe, /ScreenConnect.Client.exe, or containing query strings like i=&e=Support&y=Guest. - DNS Filtering:
Block or monitor sub-domains of known malicious parent domains (e.g., *.innocreed.com, *.controlhub.es). - ASN Watchlists:
Add AS210558 to high-risk or alerting lists; scrutinize new connections to unfamiliar IPs within this ASN. - Endpoint Sweeps:
Identify unexpected ScreenConnect binaries or services; cross-check installations against a whitelist of approved tools. - Email & Web Gateway Rules:
Quarantine messages or downloads mentioning “ScreenConnect” unless originating from the official ConnectWise domain. - Threat-Intel Feeds:
Integrate connectwise and screenconnect tags from Maltiverse, URLhaus, ThreatFox, and similar sources to track emerging infrastructure.
MITRE ATT&CK TTPs Observed in This Campaign
To effectively combat the ConnectWise ScreenConnect misuse campaign, it’s critical to understand the Tactics, Techniques, and Procedures (TTPs) employed by the attackers. Mapped to the MITRE ATT&CK framework, these TTPs highlight the specific methods used in this campaign, offering actionable insights for detection and mitigation. Below is a detailed breakdown of the observed TTPs, with examples from the campaign and tailored recommendations:
TTP | Description | Example in This Campaign | Detection & Mitigation |
T1566 – Phishing | Phishing emails deliver malware or trick users into installing malicious software. | Phishing campaigns distribute misused ScreenConnect clients via links to domains like connect-004.controlhub.es. | – Conduct user awareness training on phishing risks. – Use email gateways to filter malicious links and attachments. – Integrate Maltiverse Phishing Feed to block phishing domains. |
Compromise Infrastructure (T1584) | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices. | Attackers cracked ScreenConnect Server installations to allow misused clients to connect to them in their attacker-controled servers. | Whitelist approved remote access tools. – Block known malicious IOCs, IPs and domains (e.g., AS210558). – Audit systems for unauthorized ScreenConnect instances. |
Masquerading (T1036) | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. | The ScreenConnect client configuration is manipulated to connect to the malicious infrastructure. | Whitelist approved remote access tools. – Block known malicious IOCs, IPs and domains (e.g., AS210558). – Audit systems for unauthorized ScreenConnect instances. |
T1219 – Remote Access Software | Adversaries leverage legitimate remote access tools for persistence and control. | Misused ScreenConnect clients contain a malicious configuration to connect to cracked ScreenConnect servers hosted on malicious infrastructure. | – Whitelist approved remote access tools. – Block known malicious IOCs, IPs and domains (e.g., AS210558). – Audit systems for unauthorized ScreenConnect instances. |
Mitigation & Response
Action | Why It Matters |
Block High-Confidence IoCs (domains, IPs, URLs) in firewalls, proxies, and DNS resolvers. | Disrupts attackers’ connection channels and client delivery pipelines with malicious configurations |
Patch ScreenConnect Servers to the latest release (post-CVE-2024-1708/1709). | Prevents exploitation of vulnerabilities in legitimate deployments. |
Audit Remote-Access Software Usage and enforce MFA for all remote-support sessions. | Reduces the risk of unauthorized access. |
User Awareness Training: Warn employees about unsolicited “screen-connect” or “remote-support” prompts; instruct them to verify requests via official channels. | Mitigates social-engineering attacks that rely on user interaction. |
Conclusion
This campaign demonstrates a sophisticated abuse of ConnectWise ScreenConnect, with attackers mass-registering parent domains and spinning up hundreds of sub-domains—particularly under .top and .com—to distribute client software misused to connect to attacker-controlled servers. Their reliance on AS210558 and “domain-burst” techniques offers defenders clear opportunities to disrupt the threat. By incorporating the provided IoCs, detection strategies, and mitigation actions into security controls and incident-response playbooks, organizations can effectively counter this growing menace.
About Maltiverse by Lumu
Maltiverse delivers real-time, customized threat intelligence, offering in-depth insights and emerging trend analysis. Since joining forces with Lumu in March 2025, Maltiverse enhances the contextual depth of Lumu’s detections, while still providing invaluable stand-alone threat intelligence. Learn more about how this acquisition empowers your MSP’s security posture.