ConnectWise RAT Abuse Surge: Exploiting Trust For Cyber Intrusions

Published Date: June 2, 2025
Category: ShadowOpsIntel
Share:

In 2025, ConnectWise ScreenConnect emerged as the most abused legitimate RAT, appearing in 56% of active threat reports involving legitimate RATs in 2024 and already showing comparable attack volumes in 2025. Attackers trick users with fake communications – like emails claiming to be from the US Social Security Administration or notifications about shared files – to distribute these RATs. Other tools like Atera, FleetDeck, and smaller RATs (e.g., GoTo RAT, Gooxion RAT) are also being weaponized.

Severity Level: High

Campaigns And RAT Abuse Patterns

  1. ConnectWise ScreenConnect: 56% of all active threat reports involving legitimate RATs in 2024.
    • Tactics:
      • Exploits 14-day free trial (drops to free tier with 3-agent limit post-expiry).
      • C2 hosted via ConnectWise cloud or attacker-controlled infrastructure (port 8041).
      • Malware payload is usually .exe, disguised as PDF viewer or document.
    • Notable Campaigns:
      • Social Security Administration Spoof: Phishing emails with benefit-themed lures.
      • Files[.]fm Spoof: Shared file-themed emails delivering links to ConnectWise RAT installer or phishing pages.
  2. Atera + Splashtop Integration: Legitimately used for Remote monitoring/management by IT teams.
    • Threat Vector:
      • 30-day free trial exploited for unrestricted access.
      • Atera used to deploy Splashtop for covert access.
    • Campaigns
      • Brazilian Legal Notice Spoof: Portuguese-language emails impersonating labour courts.
      • Later samples included invoice-themed lures.
  3. FleetDeck: Rarely used legitimately due to outdated software (last update: April 2022). Shared C2 infrastructure means blocking FleetDeck’s C2 endpoint disrupts all traffic.
    • Campaigns:
      • Finance-themed Emails in French and German, urging users to install a tool to open fake invoice PDFs (posing as “Adobe FleetDeck”).
  4. Other Tools Observed:
    • GoTo RAT: Formerly LogMeIn Resolve; used in English-language order invoice scams.
    • Gooxion RAT: Chinese-language finance campaigns.
    • PDQ Connect: Portuguese-themed finance lures.
    • Teramind: Spoofed Italian cybersecurity agency (Agenzia per la Cybersicurezza Nazionale).

Recommendations:

  1. Conduct regular security audits and baseline reviews of legitimate RAT usage.
  2. Implement strict access control policies – limit RAT usage to verified personnel and enforce MFA.
  3. Block or quarantine suspicious emails containing fake legal notices, shared file notifications, or benefit statement lures.
  4. Educate staff to recognize phishing attempts, especially those masquerading as legitimate entities.
  5. Block the IOCs on respective controls:
    https://www.virustotal.com/gui/collection/945804e38a9912211c3df0f4363847e92b6573fd7a4fb60bb9876a2555396a9a/iocs.

MITRE ATT&CK

TacticTechniqueIDDetails
ReconnaissanceAcquire Infrastructure: DomainsT1583.001Threat actors registered custom domains for phishing (e.g., verify.uniupdate[.]net).
Resource DevelopmentObtain Capabilities: ToolT1588.002Actors obtained legitimate RATs (e.g., ConnectWise, Atera).
Initial AccessPhishing: Spearphishing LinkT1566.002Phishing emails with malicious download links (SSA, legal, or invoice-themed).
ExecutionUser Execution: Malicious FileT1204.002Victims execute spoofed installers disguised as PDFs or viewers.
ExecutionNative APIT1106Legitimate RATs execute using system APIs.
PersistenceExternal Remote ServicesT1133RATs establish persistent remote access through tools like Splashtop, ScreenConnect.
Command and ControlApplication Layer Protocol: Web ProtocolsT1071.001RATs use HTTPS for secure C2 (e.g., via ports like 8041).
Command and ControlIngress Tool TransferT1105Download and execution of RATs and follow-on payloads.
ExfiltrationExfiltration Over C2 ChannelT1041RATs enable data exfiltration directly over HTTPS or via their own secure tunnels.

Source:

  • https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/
  • https://cofense.com/blog/new-weapon-of-choice-how-threat-actors-hijack-legitimate-remote-access-tools

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.