{
	"id": "6d63ae7d-adb4-4e26-8fac-fff0798d4032",
	"created_at": "2026-04-06T00:13:21.804182Z",
	"updated_at": "2026-04-10T13:12:36.586211Z",
	"deleted_at": null,
	"sha1_hash": "087e139a24c46628fd7160e65a097ef99c47ad19",
	"title": "Threat Actors abuse signed ConnectWise application as malware builder",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 746550,
	"plain_text": "Threat Actors abuse signed ConnectWise application as malware\r\nbuilder\r\nBy G DATA Security Center\r\nPublished: 2025-07-23 · Archived: 2026-04-05 15:02:27 UTC\r\n06/23/2025\r\nReading time: 8 min (2040 words)\r\nSince March 2025 there has been a noticeable increase in infections and fake applications using validly signed\r\nConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to\r\nbuild and distribute their own signed malware and what security vendors can do to detect them.\r\nAnalysis by Lance Go and Karsten Hahn\r\nConnectWise abuse 2024-2025\r\nThis isn’t the first time that ConnectWise has been used by threat actors. Back in February 2024, we saw a spike in\r\nransomware activity tied to two ConnectWise vulnerabilities: CVE-2024-1708 and CVE-2024-1709. \r\nAround March 2025, a new wave of ConnectWise abuse started showing up, now being tracked under the name\r\n“EvilConwi”. \r\nWhen people suspect an infection, they often turn to the Internet for help. “UNITE against malware” forums (such\r\nas BleepingComputer.com) provide disinfection assistance in such cases. Several threads on BleepingComputer’s\r\nforums (link1, link2) show unwanted ConnectWise clients as the culprit of the infection, usually with phishing\r\nemails as the starting point. The existence of several posts like these indicates a failure of security programs to\r\nprevent the threat. Even in May 2025 most antivirus products did not detect maliciously used ConnectWise\r\nsamples as malware.\r\nIn one BleepingComputer case the origin of infection is a phishing email with a OneDrive link that promises to\r\nshow a large document. The link redirects to a Canva page with a “View PDF” button which downloads and runs a\r\nConnectWise installer. The user describes “fake Windows Update screens” and their mouse “moving on its own\r\nrandomly\". Aside from those indicators, there were no other visible signs for the active remote connection\r\n(sample[1]). \r\nReddit users have also reported similar incidents, for example in one case, a maliciously crafted ConnectWise\r\nsample[2] originated from a website offering an AI-based image converter. According to the original poster, the site\r\nhad been advertised on Facebook. \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 1 of 9\n\nSample comparison\r\nTo figure out detection opportunities and settings location, we analyze the difference between two ConnectWise\r\nsamples.   \r\nThe images below show PortexAnalyzer reports for two ConnectWise samples[6][7] which we compare with Meld.\r\nAside from the certificate table in the overlay, the section contents have the same hashes. We confirmed with a\r\nbinary diffing tool that the only substantial differences reside in the certificate table.  \r\nThus, any customization that we could use to distinguish ConnectWise installers from each other must reside in the\r\ncertificate table. At this point we suspect Authenticode stuffing. \r\nAuthenticode stuffing\r\nAuthenticode stuffing is deliberate misuse of the certificate structure that allows modifications to an executable\r\nwithout invalidating its signature. Developers use this technique to avoid re-signing their applications for minor\r\nchanges. It’s a relatively common practice, applications like Dropbox use it. Some installers[3], for example, track\r\ninstallation statistics by saving user agents, referrers, campaign IDs or similar data from the browser’s cookies in\r\nthe certificate shortly before the file is downloaded. In such cases, the Authenticode stuffing is harmless because it\r\ndoes not influence the sample’s behavior. \r\nThere are various ways to abuse authenticode signing. To figure out which method ConnectWise uses, we run an\r\nauthenticode linter on both samples. \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 2 of 9\n\nFigure3: output of AuthenticodeLint tool\r\nThe linter output shows that the “No Unknown Unsigned Attributes” check fails for both samples. That means\r\nConnectWise has unauthenticated attributes which should not be there. \r\nThe following image shows the structure of a signed Portable Executable file, and where the unauthenticated\r\nattributes reside in the certificate table. The original image is from Microsoft’s official Windows Authenticode PE\r\nSignature Format document. \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 3 of 9\n\nFigure 4: Windows Authenticode PE signature format\r\nTo verify the certificate of a Portable Executable file, Windows compares the authentihash in the certificate with\r\nthe actual hash of the file. If these hashes are different, the verification fails, and the file is not validly signed\r\nanymore.  \r\nWindows calculates the authentihash on the file’s contents except for the grayed-out areas on the left side of the\r\nimage. That means the checksum in the Optional Header, the certificate table entry in the Optional Header, and the\r\ncertificate table itself are omitted for the authentihash calculation. This includes unauthenticated attributes. They\r\nwon’t impact the validity of the certificate. \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 4 of 9\n\nThe right side of the image shows the certificate table structure. Unauthenticated attributes usually save timestamps\r\nbut can also save arbitrary data. \r\nBecause we assume that ConnectWise uses unauthenticated attributes for Authenticode stuffing, we create a\r\nPython script to extract unauthenticated attributes from PE files. \r\nConnectWise configuration abuse\r\nWe built a configuration dumper that extracts settings and embedded files from the certificate. While we do not\r\nshare the script for legal reasons, most of the meaningful data that is useful for threat detection is saved in XML\r\nformat and directly visible in dumped attributes (using the Python script above) or a strings listing of the sample. \r\nHere is an example output of the configuration dumper for a malicious sample[4]: \r\nThe first interesting indicator is the connection URL and the port which are part of the launch parameters as well as\r\nthe silent installation flag which is set to false here. But there is more: embedded additional resources and\r\nconfiguration files. \r\nOne of the extracted additional files for this sample is a .NET resource named Client.Override.en-US.resources. In\r\nthis sample[4] it modifies the ApplicationTitle so that ConnectWise fakes a Windows update and instructs the user\r\nnot to turn off the system, probably to ensure that the remote connection remains active for some time.\r\nFigure 5: fake Windows update messages in a config file\r\nAnother resource named Client.Override.resources contains Google Chrome icon PNG files which override the\r\nApplicationIcon property. Similar samples like [5] use the same file to override the property\r\nBlankMonitorBackgroundImage with a fake Windows update screen JPEG. Both images are shown below.\r\nThere are also two configuration files named system.config and app.config. These are XML files with more\r\nsettings. The system.config usually includes another ClientLaunchParametersConstraint value—on top of the one\r\nalready extracted using the config extractor—which holds the connection URL, port, and other parameters. \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 5 of 9\n\nThe app.config XML is also interesting for threat evaluation. The following image shows the contents of an\r\napp.config file that is typical for malicious ConnectWise samples:\r\nFigure 6: app.config with remote connection indicators set to false\r\nThis app.config disables several indicators which would alert a user that ConnectWise is present like a tray icon or\r\na black wallpaper during an active connection. \r\nTo summarize, the settings in the certificate table of ConnectWise substantially influence the behavior of\r\nConnectWise installers and clients. Among others the certificate saves: \r\nSilent installation option \r\nLaunch parameters which include connection URL and Port \r\nApplication icons \r\nMessages and window titles shown to the user \r\nImages used by the software, such as background images \r\nIndicators that show the presence of an active connection  \r\nBy modifying these settings, threat actors create their own remote access malware that pretends to be a different\r\nsoftware like an AI-to-image converter by Google Chrome. They commonly add fake Windows update images and\r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 6 of 9\n\nmessages too, so that the user does not turn off the system while threat actors remotely connect to them.\r\nThreat prevention recommendations\r\nWe recommend fellow defenders disallowing any ConnectWise samples that have several of the following\r\napp.config settings set to false (using regex syntax): \r\n(Support|Access)?HideWallpaperOnConnect \r\n(Support|Access)?ShowBalloonOnHide \r\n(Support|Access)?ShowBalloonOnConnect \r\n(Support|Access)?ShowSystemTrayIcon \r\n(Support|Access)?ShowCloseDialogOnExit \r\nA Yara rule may look as follows: \r\nWe also recommend detecting fake application titles, fake icons and fake background images that are embedded in\r\n.NET resources within the certificate. \r\nGDATA products detect maliciously abused ConnectWise samples as Win32.Backdoor.EvilConwi.* and samples\r\nwith questionable settings as Win32.Riskware.SilentConwi.* \r\nVendor practices and end-user risk\r\nAlthough authenticode stuffing is common practice, ConnectWise’s decision to influence critical behavior and its\r\nuser interface with unauthenticated attributes is clearly dangerous. It entices threat actors to build their own remote\r\naccess malware with custom icons, background images and text, that is signed by a trusted company. \r\nGiven how widely (ab-)used ConnectWise’s ScreenConnect is, it is a good idea to keep an eye out for these\r\nsamples. Until ConnectWise changes their authenticode stuffing practices, the possibility of signed malware being\r\ncreated and distributed remains a threat.    \r\nOn June 12, we contacted ConnectWise prior to the release of this article to make them aware of the issues\r\ndescribed above and give them the opportunity to issue a statement. We noticed on Tuesday, June 17, 2025\r\nthat the signature used to sign the samples was revoked. We have not received a statement by the time this\r\narticle was released.\r\nSamples referenced in this article\r\n[1] ConnectWise from BleepingComputer \r\n7287a53167db901c5b1221137b5a1727390579dffd7098b59e6636596b37bc27 \r\n[2] ConnectWise from Reddit  \r\n7180238578817d3d62fd01fe4e52d532c8b3d2c25509b5d23cdabeb3a37318fc \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 7 of 9\n\n[3] Setup file with tracking data in certificate \r\na6fb2a4be91f6178d8ba0ca345727d1cb7995c3e4a659a68bef306c9eff4b18e \r\n[4] ConnectWise sample with fake Windows update messages and Chrome icons in config \r\ncb8a1a1e90c29461b0503e2c5deac7b673617477128ee3baea4d8134676c8af4 \r\n[5] ConnectWise sample with fake Windows update screen in config \r\n28f46446d711208aa7686cdaea60d3a31e2b37b08db7cfb0ce350fcd357a0236 \r\n[6] ConnectWise sample used for comparison \r\n6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba \r\n[7] ConnectWise sample used for comparison \r\n277ef6c0dcaf0e76291fbde0199dda1ca521c03e77dc56c54f5b9af8508e6029 \r\nSample hashes sorted by infection vectors\r\nBased on collected samples and their naming schemes, we observed certain patterns as possible infection vectors.\r\nFake installers \r\n540c9ae519ed2e7738f6d5b88b29fb7a86ebfce67914691ce17be62a9b228e0a,  ZoomInstallerFull.exe \r\n55a228f22f68b8a22967cc5b8b2fcbea66fcaf77bebedfb1f89cd134a0268653, zoom_meetingconnect.exe \r\nC0c48de11bc4b70fb546b9a76b6126a355c0a0f4b45ed6b6564d8f3146c9f0af, ZoomInstaller-x64.exe \r\n67b909bbcce486baba59d66e3b4ec4c74dd64782051a41198085a5b3450d00c9, OneDriveSetup.exe \r\nb1c36552556a69ec4264d54be929e458c985b83bbc42fe09714c6dce825ac9a7, MicrosoftExcel.ClientSetup.exe \r\nD37e804938cf0a11c111832b509fbecf8a0f3e9373133be108d471d45db75de8, Adobe-Update-ClientSetup.wSZQ5iHP.exe.part \r\nb61aed288b4527b15907955c7521ff63cc0171087ac0f7fea6c7019a09c96c04, Adobe.ClientSetup_v7.-2.7.exe \r\n6bce39b7d7552dbacbb4bdf06b76b4fed3fbb9fe4042b81be12fbdff92b8d95c, SSA Viewer.exe \r\nFake video or movie clients \r\n6aa1b9f976624f7965219f1a243de2bebb5a540c7abd4d7a6d9278461d9edc11, Creation_Made_By_CanvaAI.mp4\r\nCanva.com \r\n8fc8727b6ddb28f76e46a0113400c541fb15581d2210814018b061bb250cc0e6, FULL_MOVIE_DOWNLOAD.exe \r\n5da9a0d0830c641ffda6be3be7733de469418abedc6fac0cfcd76ba49f8ade2e, P0RN-vidz.Client.exe \r\n72fe38ad67a26cfd89d1bfc744d33f80277e8eb564b5b92fdac46a9a24d845f3, P0RN-vid.Client.exe \r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 8 of 9\n\n5ccc9ef3e8f7113469f4a46c3aca3939fd53b3561a9fd8ffacd531aa520c5921, FULL_MOVIE_WATCH_NOW.exe \r\n23ff4f91db852b07c7366a3c3b8be0bade2befccbfea7e183daadb5e31d325c0, Schau mir jetzt nackt vor der Webcam\r\nzu.exe \r\nFake documents \r\n41037935246da6f43615d93912bc62811c795ea4082a2bfdbf3eda53a012666e, Social_Security_Statement_873164.exe \r\n98e3f74b733d4d44bec7b1bf29f7b0e83299350143ff1e05f0459571cb49c238, Statement.pdf.Client.exe \r\nd6844a6050d5f6c20a3fe12df28e53a2e46559e6c5017576022372e35ab44ff5, SSA-statement-osu5ma6.PDF`.exe \r\n573f1eefac3079790a9ab40bdd3530ce34b1d2d1c6fa6703a5a8d81cb190a458, BarryStatementPDF.exe \r\nF55c6160ed57a97c4f0e1c6aa6e3f8f01a966e96a99a29e609ec60e63be11889, FATURA-255441144227D55224QO02GX6QL.com \r\n4e5cfd915f44dc263f29e1eaef82b3e2e903ba92b10f88c0eaf89fe5eab82ff5, ANFRAGE FÜR VORSCHLAG.exe \r\nE7f9b9c9205162ddee72a7b7ff86b6524e19c7e8b51f64fdbffc8015c7e8934c, Important Document.exe \r\n \r\nShare Article\r\n Content\r\nConnectWise abuse 2024-2025\r\nAuthenticode stuffing\r\nConnectWise configuration abuse\r\nThreat prevention recommendations\r\nVendor practices and end-user risk\r\nUpdate 30. June 2025\r\nSamples referenced in this article\r\nSample hashes sorted by infection vectors\r\nSource: https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nhttps://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware"
	],
	"report_names": [
		"38218-connectwise-abuse-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434401,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/087e139a24c46628fd7160e65a097ef99c47ad19.pdf",
		"text": "https://archive.orkl.eu/087e139a24c46628fd7160e65a097ef99c47ad19.txt",
		"img": "https://archive.orkl.eu/087e139a24c46628fd7160e65a097ef99c47ad19.jpg"
	}
}