SILENTCONNECT is a newly discovered multi-stage malware loader that has been silently targeting Windows machines since at least March 2025. <\/p>\n
It uses VBScript, in-memory PowerShell execution, and PEB masquerading to install the ConnectWise ScreenConnect remote monitoring and management tool on victim systems. <\/p>\n
Once deployed, ScreenConnect gives the attacker full hands-on keyboard control over the compromised machine, posing a serious threat to corporate environments worldwide.<\/a><\/p>\n The infection begins when a target receives a phishing email with a link appearing to lead to a legitimate invitation or proposal. Clicking it redirects the victim to a Cloudflare Turnstile<\/a> CAPTCHA page asking them to verify they are human. <\/p>\n Once the checkbox is clicked, a VBScript file named E-INVITE.vbs automatically downloads to the machine. <\/p>\n Threat actors have used convincing filenames such as Proposal-03-2026.vbs to make lures appear credible and lower the victim\u2019s guard before execution.<\/a><\/p>\n Elastic Security Labs researchers identified the campaign<\/a> in early March 2026 after a living-off-the-land style infection generated multiple behavioral alerts in a short period. <\/p>\n The initial VBScript download triggered a Suspicious Windows Script<\/a> Downloaded from the Internet detection rule, giving analysts a pivot point to trace the infection using file origin URL fields. <\/p>\n The VBScript was hosted on Cloudflare\u2019s r2.dev storage while the C# payload was fetched from Google Drive \u2014 two trusted platforms that most network defenses are unlikely to block.<\/a><\/p>\n SILENTCONNECT blends into normal Windows activity to stay under the radar. The VBScript uses a children\u2019s story as a decoy while hiding real instructions inside Replace and Chr functions. <\/p>\n When decoded, it fires a PowerShell command that uses the built-in curl.exe to download a C# source file, compiles it at runtime through Add-Type, and runs it entirely in memory. <\/p>\n Since no malicious executable is written to disk, most endpoint security tools<\/a> struggle to detect this behavior in real time.<\/p>\n The threat actor\u2019s infrastructure also reveals a consistent pattern. A phishing email<\/a> on VirusTotal with the subject YOU ARE INVITED was traced to dan@checkfirst[.]net[.]au, impersonating a project proposal from a fake company. <\/p>\n The attacker reused the same URI path \u2014 download_invitee.php \u2014 across multiple compromised websites, which proved to be an OPSEC mistake, allowing researchers to map out the full campaign infrastructure through targeted VirusTotal searches.<\/a><\/p>\n Once the .NET loader runs, SILENTCONNECT moves quickly to disappear from security tool view. After sleeping for 15 seconds, it allocates executable memory through NtAllocateVirtualMemory and copies a small shellcode stub into that region.<\/p>\n This shellcode retrieves the address of the Process Environment Block, a Windows structure that tracks all modules loaded in a running process, letting the malware operate at a low system level while bypassing commonly monitored API calls.<\/p>\n With the PEB address in hand, SILENTCONNECT performs PEB masquerading by locating its own module list entry and overwriting both the BaseDLLName and FullDllName fields to display winhlp32.exe and c:windowswinhlp32.exe. <\/p>\n Since many EDR solutions rely on PEB data as a trusted reference when identifying suspicious processes, this name swap disguises the loader as a harmless Windows help utility, making it nearly invisible to automated detection.<\/p>\n Before installing ScreenConnect, the loader executes a UAC bypass through the CMSTPLUA COM interface, stores its parameters in reverse order as obfuscation, and silently adds a Microsoft Defender exclusion for exe files. <\/p>\n It then downloads the ScreenConnect MSI from bumptobabeco[.]top via curl.exe, installs it through msiexec.exe, and sets it up as a Windows service beaconing to the attacker\u2019s server over TCP port 8041.<\/a><\/p>\n Organizations should routinely audit their environments for unauthorized RMM deployments and monitor outbound traffic to unknown ScreenConnect server addresses. <\/p>\n Security teams should flag PowerShell commands combining Add-Type with remote downloads, alert on VBScript files<\/a> fetched from the internet, and watch for unexpected Defender exclusion changes. <\/p>\n Tracking NtAllocateVirtualMemory calls from .NET processes can also help catch this threat before it reaches full compromise.<\/a><\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post SILENTCONNECT Uses VBScript, PowerShell and PEB Masquerading to Deploy ScreenConnect<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Cloudflare](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjBsvUIu-w34V8w3ny6rvgcgZBqu67yGj-aFJhesnrDyrCUGMMSonSniLSbCE90-qCxpsw1xRionb2AlBWF3a12AaMDa_yYeVoJQvh336PP-Nb7D0N7ww8IeP7qJsfpqyjHz8ZAWGJmp9IQZg1Rm8RiTCxH9t47Pa71FR2y4YIgze3s5NRDhnBH9GBAMJE\/s16000\/Cloudflare%2520CAPTCHA%2520page%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")
![\"Obfuscated](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJwLGpyOTHKFkecTTJ56bM0UnPqXnthmlrId_cHZ452KauU8GCEAJzPsBCC1Bhyphenhyphen5JK2Atza1W3SM1znGWiaaoQfqy-1wokheVXWOMJLI_V9IpK8_0psAWBz75zomxw-JtrL_8CJasx7SEhogkQ-KxZn9q2XSCDd9fb0FeiI2CihbokFxXoSQWcKAnYB50\/s16000\/Obfuscated%2520VBScript%2520using%2520Chr%28%29%2520and%2520Replace%28%29%2520functions%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")
PEB Masquerading and Defense Evasion<\/strong><\/h2>\n
![\"Copying](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiupu1XUYBiNw91vb4bqUjo5zDRK-Gol0NWeMGWggsSgwkM4Q65Sk7gZDCzg2ti1DLHO9iEKTjuLZnCGmTQx2IFmlzmZS9HyPzQtGkv1nQ7FsfavWqpyUx3kBgDIL_E174sMcF8G0niN8ChLkVJAUIfI91pBjesuajyuhSr2vH5hkDB4sR2_B6nko2_Ry4\/s16000\/Copying%2520shellcode%2520into%2520memory%2520via%2520NtAllocateVirtualMemory%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")
![\"PEB](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvqMMMKJM80NsGLa5Xdi84F3yzelAmBllte_h8G073iGzKvYboEdrtT3YWMMPaZRR5TKmiqIvZDiaDb1RRaga6FHBoCD0rvT-M03Nwa4c-2IDibSxV2AmSZYWXGFlOSpevPrgmpQ4A6wBt1siY_MjbDhhY4Jf-FsJa_CjbZ5b3ky7uNz6-rRHVDk2sWY0\/s16000\/PEB%2520masquerading%2520feature%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")
![\"SILENTCONNECT](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjrNh18KnnRdz1CPvA46doo4kb4RR5xYg6vzMSdytRWEP88z-uQIn3zWEeKSaNRIgF3LCKFGZv1TSto_4StpVJfisXZQ8MSw2jWTo1ht8gDbcEOgLfnC0QKsbXMpVh-00s3UczA75HQgLefOijAb066RrpCmdFTW4ppYtKhGeEC1FofyBReSnOeaa5bux8\/s16000\/SILENTCONNECT%2520adding%2520Microsoft%2520Defender%2520exception%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\")