#connectwise

Phishing campaigns used to be obvious if one knew what to look for. Emails from URL’s that didn’t match the product or company they were supposedly representing. Typos, missing or badly copied images, vague or generic messages. But today’s campaigns aren’t so simple.

Cofense has published a detailed analysis of a Zoom scam spoofing the legitimate site – complete with genuine looking links and pre-recorded audio that appears to cut in and out, a notoriously common issue with the site – that instead downloads a data harvesting malware via a hijacked version of ConnectWise ScreenConnect, which is frequently abused by threat actors these days.

The attack begins with an invitation to join a meeting, using a plain text body with no header. This is the only obvious point of suspicion, as it differs from the authentic version. From there, the hyperlink included in the initial invitation mirrors a legitimate Zoom page, with the proper branding and URL, page title in the browser tab, even the ‘preparing your meeting experience’ loading screen. The deception goes deeper at the next stage, where details such as the number of people expected to join, the host’s name and location, duration of the meeting and ID number are all displayed onscreen. This is where the faked audio plays, as the victim attempts to join the fraudulent meeting, and is then told an update is available after a few seconds. This downloads automatically, and once again cleverly mimics the real thing. The only sign that it is not legitimate is the ‘.vbs’ in the download name following the executable command. The Visual Basic Script acts as a downloader for the harvesting malware.

The script downloads the ScreenConnect installer, saves it to the user’s %TEMP% directory, and launches it using Windows Script Host, keeping it in a hidden window so the user is unaware it’s even running. In and of itself, it doesn’t contain anything malicious, but it provides access to the user’s system by the threat actor remotely through ScreenConnect, which is itself a remote monitoring and management program. Once executed, the script can be observed in the running processes (in task manager), with the saved file location as %TEMP%, another subtle sign that an incursion has occurred since authentic software does not typically run from the temp files.

This campaign is effective, as it leverages both user trust in a product and several layers of spoofing of those products. How many look at the task manager while running an application? How many would recognize that initial difference in the Zoom invite, if they don’t use it often? As Cofense puts it, this attack combines malicious activity with expected enterprise administration behavior while enabling credential theft, internal reconnaissance, lateral movement, and the deployment of secondary payloads such as ransomware. All while abusing legitimate software instead of deploying traditional malware, so it has a greater chance of slipping by unseen.

The advice to never click an untrusted link isn’t quite comprehensive anymore, although it’s still good practice. And yes, it is time consuming and exhausting to have to check every link. But it’s only paranoia if they’re aren’t actually out to get you, and phishing is very much out to get you. The key to stopping these attacks is early detection. And early detection often comes from not trusting anything at all.

Since March 2025, cybersecurity researchers—most notably from G DATA—have observed a surge in malware infections originating from ConnectWise clients. These infections are linked to a sophisticated technique called Authenticode stuffing, which allows attackers to trojanize legitimate software and deploy malware while bypassing traditional security checks. ConnectWise is a leading software…

We offer ConnectWise Automate Consulting services? Reach us today for CW Implementations, Monitoring, Scripting and Admin services.

Thank you for considering Kaseya Consulting! 😊 Our team would be happy to discuss your needs. Please reach out to us at your convenience.

👋 Hey MSPs! Are you looking to streamline your MSP business operations? Let us introduce you to our ConnectWise Automate Consulting Service!

Boost your productivity and efficiency with their expert guidance. Let's get connected today!

We'd be happy to help with any of your ConnectWise Automate consulting needs 😊 Let's work together to streamline your business processes and improve your overall efficiency.