AsyncRAT Abuses ScreenConnect to Steal Credentials, Crypto
Attackers turned a widely trusted remote management tool into a direct conduit for theft and surveillance, exploiting ConnectWise ScreenConnect to deliver AsyncRAT and harvest credentials and cryptocurrency artifacts. What started as a routine administrative capability — remote sessions, scripting, file transfer — became the pivot for a stealthy, fileless intrusion that leaves minimal forensic evidence and maximizes attacker control.
How the campaign worked
Researchers reporting on the campaign detailed an infection chain that began with an attacker establishing a legitimate ScreenConnect session. From that foothold, the adversary executed layered VBScript payloads that ran in memory rather than dropping on disk. Those scripts then fetched and launched AsyncRAT, a modular .NET remote access trojan known for keylogging, credential theft, command execution, and data exfiltration.
Several tactical choices made the operation effective and hard to detect:
– Initial access via legitimate tooling: By using ConnectWise ScreenConnect, attackers gained interactive, authenticated access that can bypass many endpoint protections tuned for detecting typical downloader binaries and suspicious network behavior.
– Fleshless, script-based loader: The use of in-memory VBScript chains reduced on-disk indicators and hindered signature-based detection, complicating traditional forensic analysis.
– Targeted data theft: AsyncRAT’s functions allowed attackers to harvest stored credentials, monitor user sessions, and search for cryptocurrency-related files and wallet data — a direct path to financial gain.
Why ConnectWise ScreenConnect is attractive to attackers
RMM platforms like ConnectWise ScreenConnect (also marketed as ConnectWise Control) are designed to provide administrators with broad control over endpoints: remote shell access, privileged scripting, file transfers, and live session interaction. Those capabilities are essential for efficient IT operations but also create high-value targets for misuse. A stolen or misused RMM credential effectively hands attackers the same administrative powers as legitimate operators, often without tripping the alarms that look for external exploit chains or suspicious installer binaries.
AsyncRAT itself is a prevalent commodity RAT, available on underground markets and adopted by both financially motivated criminals and threat actors pursuing espionage. Combined with an RMM-enabled access path, its modular capabilities become far more potent: credential harvests are immediate, exfiltration is streamlined, and the attacker can operate hands-on-keyboard with minimal friction.
Operational and defensive implications
For defenders, this campaign highlights several uncomfortable realities:
– Traditional endpoint defenses can be less effective when attackers operate through sanctioned tools and execute scripts entirely in memory.
– Organizations that rely on managed service providers extend their risk surface to include third-party access controls, vendor credential hygiene, and remote session practices.
– Detection needs to evolve beyond binary signatures to include richer telemetry, session logging, and behavior-focused heuristics.
Practical steps security teams should prioritize
– Harden RMM access: Enforce strong multi-factor authentication (preferably hardware-backed or phishing-resistant MFA), limit the number of accounts with remote admin privileges, and adopt just-in-time access models so elevated sessions exist only when needed.
– Monitor ConnectWise ScreenConnect sessions and scripts: Capture and retain remote session logs, keystrokes where lawful and appropriate, and script execution telemetry. Correlate these artifacts with EDR, network logs, and SIEMs to spot anomalous patterns.
– Adopt least-privilege and segmentation: Limit the scope of administrative access. Segment networks so a compromised admin session cannot easily reach critical infrastructure such as authentication servers, key management systems, or cryptocurrency custody solutions.
– Simulate RMM abuse in tabletop and red-team exercises: Test incident response playbooks against scenarios that involve fileless execution and in-memory loaders to identify detection gaps and response delays.
– Vendor and supply chain controls: Require MSPs and third parties to demonstrate strong credential hygiene, session recording, and timely incident reporting. Consider contractual minimums around logging and access controls.
Policy and vendor responsibilities
This incident also raises policy questions about baseline security standards for remote access tools. Regulators and industry bodies may increasingly demand minimum telemetry, audit capabilities, and secure-by-default configurations for RMM software to reduce supply chain risk. RMM vendors can respond by improving session auditing, adding stronger native scripting controls, and baking in post-compromise detection heuristics that surface suspicious in-memory activity.
Attackers’ calculus and scaling limitations
From the attacker perspective, abusing RMM platforms offers a high-reward, low-noise option compared with mass phishing or exploit campaigns. It reduces the attack chain complexity and accelerates monetization. However, dependence on stolen credentials or social-engineered access can limit scalability and increase operational risk; attackers must maintain stealth to avoid detection and remediation once spotted.
Conclusion
The misuse of ConnectWise ScreenConnect to deploy AsyncRAT is a concrete example of how legitimate administration tooling can be repurposed into a powerful instrument of cybercrime. Organizations must treat RMM access as a privileged attack vector: harden controls, increase telemetry and session monitoring, enforce least-privilege, and routinely test defenses against fileless and in-memory techniques. As defenders close one door, adversaries will keep innovating — often by turning trusted tools against their owners — so proactive controls and resilient response playbooks are essential to reduce this asymmetric threat.




