2026-05-135 minhigh

From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect

Elastic Security Labs identified a new .NET loader dubbed SILENTCONNECT, which is distributed via phishing emails and Cloudflare Turnstile CAPTCHA pages. The loader utilizes living-off-the-land binaries, PEB masquerading, and UAC bypass techniques to silently install remote monitoring and management (RMM) tools like ScreenConnect for persistent access.

Sens:▲ 24hConf:highAnalyzed:2026-03-18reports

Authors: Elastic Security Labs

ActorsSILENTCONNECTConnectWise ScreenConnectSyncro RMM

PEB Masquerading ScreenConnect LOLBins SILENTCONNECT UAC Bypass

Source:Elastic Security Labs

IOCs · 4

domain
bumptobabeco[[.]]topScreenConnect C2 Server
sha256
8bab731ac2f7d015b81c2002f518fff06ea751a34a711907e80e98cf70b557dbSILENTCONNECT loader payload
url
hxxps://drive[.]google[[.]]com/uc?id=1ohZxxT-h7xWVgclB1kvpvwkF0AGWoUtq&export=downloadGoogle Drive URL hosting the C# payload
url
imansport[.]ir/download_invitee.phpPhishing redirect URL

Key Takeaways

SILENTCONNECT is a newly discovered .NET loader actively used in the wild to silently install ConnectWise ScreenConnect.
The infection chain leverages trusted hosting providers like Cloudflare R2 and Google Drive to bypass network controls.
The loader employs advanced evasion techniques including PEB masquerading, direct NT API calls, and UAC bypasses.
Attackers use PowerShell to add Windows Defender exclusions for executable files before downloading the final payload.

Affected Systems

Windows

Attack Chain

The attack begins with a phishing email containing a link that redirects the victim to a Cloudflare Turnstile CAPTCHA page. Upon solving the CAPTCHA, a VBScript is downloaded which uses PowerShell and curl.exe to fetch a C# payload from Google Drive. This C# code, dubbed SILENTCONNECT, is compiled and executed in memory, utilizing PEB masquerading and a UAC bypass to evade detection. Finally, SILENTCONNECT adds a Windows Defender exclusion and silently installs ConnectWise ScreenConnect to establish persistent command and control.

Detection Availability

YARA Rules: Yes
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: Yes
Splunk SPL Queries: No
EQL Queries: Yes
Other Detection Logic: No
Platforms: Elastic Security, YARA

Elastic Security provides a YARA rule for detecting the SILENTCONNECT payload in memory or on disk, along with several Elastic detection rules (EQL/KQL) targeting the behavioral chain, such as curl.exe usage and UAC bypasses.

Detection Engineering Assessment

EDR Visibility: Medium — While the initial PowerShell and curl.exe commands are highly visible, the SILENTCONNECT loader uses direct NT API calls and PEB masquerading to hide its execution and module loads from user-land hooks. Network Visibility: Medium — Initial payload delivery uses trusted domains (Google Drive, Cloudflare R2), making network blocking difficult. However, the final ScreenConnect C2 traffic over TCP 8041 to an unrecognized domain is detectable. Detection Difficulty: Moderate — The heavy reliance on LOLBins and trusted infrastructure complicates detection, but the specific command-line arguments for Defender exclusions and silent MSI installations provide solid behavioral detection opportunities.

Required Log Sources

Process Creation (Event ID 4688 / Sysmon Event ID 1)
PowerShell Operational Logs (Event ID 4104)
Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for powershell.exe executing curl.exe to download files from Google Drive or Cloudflare R2 into temporary directories like C:\Windows\Temp.	Process Creation	Execution	Low
Monitor for msiexec.exe being spawned by powershell.exe with silent install flags targeting files in temporary directories.	Process Creation	Execution	Low
Detect PowerShell scripts utilizing Add-MpPreference to exclude .exe files from Defender scanning.	PowerShell Operational	Defense Evasion	Low
Identify processes masquerading as winhlp32.exe but executing from unusual paths or exhibiting network connections to unknown domains over port 8041.	Process Creation / Network	Defense Evasion	Low

Control Gaps

Network filtering of trusted cloud providers
User-land API hooking bypass via direct NT API calls

Key Behavioral Indicators

PowerShell compiling C# code in memory via Add-Type
curl.exe downloading MSI files
Reversed strings in command lines (e.g., :wen!rotartsinimdA:noitavelE)

False Positive Assessment

Recommendations

Immediate Mitigation

Block the identified C2 domains and IP addresses at the firewall/proxy.
Search endpoint telemetry for the provided file hashes and command-line fragments.
Audit installed applications for unauthorized instances of ConnectWise ScreenConnect or Syncro RMM.

Infrastructure Hardening

Restrict the execution of LOLBins like curl.exe and msiexec.exe where not required for business operations.
Implement application control to block unauthorized RMM tools.

User Protection

Ensure Microsoft Defender Tamper Protection is enabled to prevent unauthorized exclusions.
Deploy EDR solutions configured to monitor for suspicious PowerShell execution and in-memory .NET assembly loads.

Security Awareness

Train users to recognize phishing emails and unexpected CAPTCHA prompts, especially those leading to file downloads.
Educate employees on the risks of executing scripts disguised as documents or invitations.

MITRE ATT&CK Mapping

T1059.001 - Command and Scripting Interpreter: PowerShell
T1562.001 - Impair Defenses: Disable or Modify Tools
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1219 - Remote Access Software
T1105 - Ingress Tool Transfer
T1027 - Obfuscated Files or Information

Additional IOCs

Domains:
- instance-lh1907-relay[.]screenconnect[[.]]com - ScreenConnect C2 Server
- solpru[[.]]com - Compromised domain hosting fake DocuSign portal
- imansport[[.]]ir - Attacker-controlled infrastructure for initial redirect
Urls:
- hxxps://bumptobabeco[[.]]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest - URL hosting the malicious ScreenConnect MSI installer
- solpru[.]com/process/docusign[.]html - Fake DocuSign portal URL
File Hashes:
- 281226ca0203537fa422b17102047dac314bc0c466ec71b2e6350d75f968f2a3 (SHA256) - E-INVITE.vbs
- adc1cf894cd35a7d7176ac5dab005bea55516bc9998d0c96223b6c0004723c37 (SHA256) - 2025Trans.vbs
- 81956d08c8efd2f0e29fd3962bcf9559c73b1591081f14a6297e226958c30d03 (SHA256) - FileR.txt (C# source code)
- c3d4361939d3f6cf2fe798fef68d4713141c48dce7dd29d3838a5d0c66aa29c7 (SHA256) - ScreenConnect.ClientSetup.msi
- 349e78de0fe66d1616890e835ede0d18580abe8830c549973d7df8a2a7ffdcec (SHA256) - ViewDocs.exe (Syncro Installer)
File Paths:
- C:\Windows\Temp\FileR.txt - Path where the downloaded C# source code is saved
- C:\Temp\ScreenConnect.ClientSetup.msi - Path where the ScreenConnect MSI is downloaded
- c:\windows\winhlp32.exe - Masqueraded PEB FullDllName used by SILENTCONNECT
Command Lines:
- Purpose: Download and compile C# payload in memory | Tools: powershell.exe, curl.exe | Stage: Execution
- Purpose: Add Windows Defender exclusion for .exe files | Tools: powershell.exe | Stage: Defense Evasion | -ExclusionExtension $s -Force;
- Purpose: Download and silently install ScreenConnect MSI | Tools: curl.exe, msiexec.exe | Stage: Payload Delivery | Start-Process msiexec.exe '/i C:\Temp\ScreenConnect.ClientSetup.msi'