Rogue ScreenConnect: Common Social Engineering Tactics Seen in 2025

Description

In 2025, there was a significant increase in rogue ScreenConnect installations, part of a broader trend of threat actors abusing remote monitoring and management tools (RMMs). These tools were used to gain access, blend in, move laterally, and maintain persistence in target systems. Attackers employed various social engineering tactics to trick employees into downloading malicious RMMs. Common lures included fake Social Security statements, invitations, and financial documents. The Huntress Security Operations Center identified recurring patterns in lures, domains, and file hashes associated with these attacks. Some campaigns showed signs of targeting specific industries, such as accounting firms. The article provides detailed examples of attack patterns, top malicious domains, and file hashes observed throughout the year.