SILENTCONNECT is a newly discovered multi-stage malware loader that has been silently targeting Windows machines since at least March 2025.
It uses VBScript, in-memory PowerShell execution, and PEB masquerading to install the ConnectWise ScreenConnect remote monitoring and management tool on victim systems.
Once deployed, ScreenConnect gives the attacker full hands-on keyboard control over the compromised machine, posing a serious threat to corporate environments worldwide.
The infection begins when a target receives a phishing email with a link appearing to lead to a legitimate invitation or proposal. Clicking it redirects the victim to a Cloudflare Turnstile CAPTCHA page asking them to verify they are human.
Once the checkbox is clicked, a VBScript file named E-INVITE.vbs automatically downloads to the machine.
Threat actors have used convincing filenames such as Proposal-03-2026.vbs to make lures appear credible and lower the victim’s guard before execution.
Cloudflare CAPTCHA page (Source – Elastic)
Elastic Security Labs researchers identified the campaign in early March 2026 after a living-off-the-land style infection generated multiple behavioral alerts in a short period.
The initial VBScript download triggered a Suspicious Windows Script Downloaded from the Internet detection rule, giving analysts a pivot point to trace the infection using file origin URL fields.
The VBScript was hosted on Cloudflare’s r2.dev storage while the C# payload was fetched from Google Drive — two trusted platforms that most network defenses are unlikely to block.
SILENTCONNECT blends into normal Windows activity to stay under the radar. The VBScript uses a children’s story as a decoy while hiding real instructions inside Replace and Chr functions.
When decoded, it fires a PowerShell command that uses the built-in curl.exe to download a C# source file, compiles it at runtime through Add-Type, and runs it entirely in memory.
Since no malicious executable is written to disk, most endpoint security tools struggle to detect this behavior in real time.
Obfuscated VBScript using Chr() and Replace() functions (Source – Elastic)
The threat actor’s infrastructure also reveals a consistent pattern. A phishing email on VirusTotal with the subject YOU ARE INVITED was traced to dan@checkfirst[.]net[.]au, impersonating a project proposal from a fake company.
The attacker reused the same URI path — download_invitee.php — across multiple compromised websites, which proved to be an OPSEC mistake, allowing researchers to map out the full campaign infrastructure through targeted VirusTotal searches.
PEB Masquerading and Defense Evasion
Once the .NET loader runs, SILENTCONNECT moves quickly to disappear from security tool view. After sleeping for 15 seconds, it allocates executable memory through NtAllocateVirtualMemory and copies a small shellcode stub into that region.
Copying shellcode into memory via NtAllocateVirtualMemory (Source – Elastic)
This shellcode retrieves the address of the Process Environment Block, a Windows structure that tracks all modules loaded in a running process, letting the malware operate at a low system level while bypassing commonly monitored API calls.
With the PEB address in hand, SILENTCONNECT performs PEB masquerading by locating its own module list entry and overwriting both the BaseDLLName and FullDllName fields to display winhlp32.exe and c:\windows\winhlp32.exe.
PEB masquerading feature (Source – Elastic)
Since many EDR solutions rely on PEB data as a trusted reference when identifying suspicious processes, this name swap disguises the loader as a harmless Windows help utility, making it nearly invisible to automated detection.
Before installing ScreenConnect, the loader executes a UAC bypass through the CMSTPLUA COM interface, stores its parameters in reverse order as obfuscation, and silently adds a Microsoft Defender exclusion for exe files.
SILENTCONNECT adding Microsoft Defender exception (Source – Elastic)
It then downloads the ScreenConnect MSI from bumptobabeco[.]top via curl.exe, installs it through msiexec.exe, and sets it up as a Windows service beaconing to the attacker’s server over TCP port 8041.
Organizations should routinely audit their environments for unauthorized RMM deployments and monitor outbound traffic to unknown ScreenConnect server addresses.
Security teams should flag PowerShell commands combining Add-Type with remote downloads, alert on VBScript files fetched from the internet, and watch for unexpected Defender exclusion changes.
Tracking NtAllocateVirtualMemory calls from .NET processes can also help catch this threat before it reaches full compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post SILENTCONNECT Uses VBScript, PowerShell and PEB Masquerading to Deploy ScreenConnect appeared first on Cyber Security News.
