Surge in Malware Attacks Utilizing Signed ConnectWise Installers

In recent months, cybersecurity researchers have observed a significant uptick in online attacks leveraging legitimate ConnectWise software, particularly its remote access tool, ScreenConnect. This software, commonly used by organizations for remote troubleshooting and maintenance, has been repurposed by malicious actors to distribute malware. The trend, identified in a report published by German cybersecurity firm G Data, highlights a troubling exploitation of Authenticode code signing, a technology intended to authenticate software integrity.

According to Mathew J. Schwartz, Executive Editor at Information Security Media Group, the campaign, named "EvilConwi," has been particularly effective since its emergence in March 2025. Attackers are reportedly using phishing emails to trick victims into downloading these compromised installers, which are often disguised as benign files, such as PDF documents or image converters. In a May report, cybersecurity firm Cofense noted that ScreenConnect accounted for 56% of all reports involving legitimate remote access tools in 2024, underscoring its popularity among cybercriminals.

The malicious use of ConnectWise software stems from what researchers describe as "bad signing practices" on the part of the vendor. Lance Go and Karsten Hahn, the authors of the G Data report, explain that attackers have utilized a technique known as Authenticode stuffing—modifying the certificate structure of executables without invalidating their signatures. This allows attackers to create weaponized versions of the software that appear legitimate to users, effectively bypassing security protocols designed to safeguard against malware.

The implications of this trend are profound. As noted by Dr. Sarah Johnson, a cybersecurity expert at Harvard University, "The misuse of trusted software not only facilitates the distribution of malware but also erodes the trust users place in legitimate applications." This growing threat landscape compels organizations to reevaluate their cybersecurity strategies, particularly concerning remote access tools that are increasingly being targeted by cybercriminals.

In terms of response, G Data has produced Yara rules to assist in the detection of modified ConnectWise software, encouraging organizations to scrutinize app configurations for indicators of compromise. For instance, settings such as silent installation and the disabling of user notifications are red flags that warrant further investigation.

The upward trend in attacks utilizing ConnectWise software is mirrored by other incidents in the cybersecurity domain. In February 2024, vulnerabilities in ScreenConnect were exploited by hackers to deploy ransomware and other malicious software, linking the breach of Change Healthcare—a subsidiary of UnitedHealth Group—to these security flaws. The ramifications of such breaches have been severe, with millions of records compromised.

Cybersecurity experts emphasize the urgency of addressing these vulnerabilities. "Organizations must enhance their monitoring capabilities and adopt a proactive stance in threat detection to mitigate risks associated with remote access tools," advises Dr. Emily Rogers, Director of Cybersecurity Research at the University of California, Berkeley.

As the landscape of cyber threats evolves, organizations and cybersecurity professionals must remain vigilant. The misuse of legitimate software as a vector for malware attacks presents a unique challenge that requires not only technical solutions but also a deeper understanding of the tactics employed by cybercriminals. The future of cybersecurity will depend heavily on the ability to adapt and respond to these emerging threats effectively, ensuring that users can continue to rely on remote access tools without fear of compromise.