Fake party invitations that covertly install remote access software on Windows computers are part of a recent phishing campaign This article explores invitation malicious party. . Threat actors can take total control of victim systems by using social engineering to deliver ScreenConnect, a genuine remote support tool.

A friend's seemingly innocuous invitation turns into a significant security breach that allows hackers unrestricted access to private files, login credentials, and sensitive information. The campaign starts with emails that appear to be invitations to informal parties from reliable contacts. Because they frequently originate from hacked email accounts, these messages seem real and recognizable. Recipients are encouraged to click without hesitation because of the casual tone and social context, which reduce suspicion.

Invitation to a malicious party (Source: Malwarebytes) Although there are no technical obstacles preventing its spread to other areas, Malwarebytes researchers discovered that this campaign primarily targets users in the United Kingdom. Upon clicking the email's link, victims are taken to a meticulously designed webpage that imitates an actual invitation to an event. "You're Invited!"

is the bold headline that appears on the page, along with messages indicating that the invitation was sent by a friend and that it should be viewed on a Windows device. While social proof statements like "I opened mine and it was so easy!" encourage users to execute the file, a countdown timer creates urgency by showing that the invitation is already downloading. A file called RSVPPartyInvitationCard.msi is automatically downloaded by the browser in a matter of seconds.

The downloaded MSI file is an installer that silently installs ScreenConnect Client on the victim's computer by launching Windows Installer (msiexec.exe), not an invitation. It is difficult for victims to understand what is happening because the installation takes place without obvious user-facing notifications, according to Malwarebytes analysts. MSI download is prompted by a malicious landing page (Source: Malwarebytes).

The procedure creates a persistent Windows service with random characters in its name, like ScreenConnect Client 18d1648b87bb3023, and installs ScreenConnect binaries under C:\Program Files (x86)\ScreenConnect Client. How the Remote Access Tool Gains Control After installing ScreenConnect, it uses a specially designated instance domain to establish encrypted HTTPS connections to ScreenConnect relay servers.

Attackers can view the victim's screen in real time, control the mouse and keyboard, upload or download files, and keep access even after the system restarts thanks to this connection, which gives them the same capabilities as a remote IT technician. Traditional security tools might not identify ScreenConnect as malicious because it is a legitimate program that is frequently used for remote support. Behavioral abnormalities like inexplicable cursor movements, windows opening without user input, or strange background processes that victims do not recall installing are frequently the first indications of compromise.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.