ConnectUnwise: Threat Actors Abuse ConnectWise as Builder for Signed Malware
Summary:
Since March 2025, a new wave of attacks, tracked as "EvilConwi," has emerged, exploiting legitimate ConnectWise software through validly signed samples to distribute malware. This follows a previous spike in ConnectWise-related ransomware activity tied to CVE-2024-1708 and CVE-2024-1709 in February 2024. The current threat leverages ConnectWise's poor signing practices, specifically "Authenticode stuffing," which allows attackers to modify executable behavior without invalidating the certificate’s signature. This enables them to craft seemingly legitimate applications, often distributed via phishing emails and malicious websites advertising fake services like AI image converters, that install malicious ConnectWise clients. These modified clients disable user-facing indicators of remote access, such as tray icons or wallpaper changes, and often display fake Windows Update screens to keep users from interrupting the malicious activity. A significant concern is the widespread failure of security products, even as late as May 2025, to detect these maliciously used ConnectWise samples, leading to widespread infections reported on public forums like BleepingComputer[.]com and Reddit.
Security Officer Comments:
The "EvilConwi" campaign represents a concerning evolution in threat actor tactics, highlighting a critical blind spot in current cybersecurity defenses. The manipulation of validly signed software, particularly through techniques like Authenticode stuffing, significantly complicates detection for traditional antivirus solutions that primarily rely on signature-based verification. The fact that these malicious ConnectWise samples largely evade detection months after their initial appearance is a testament to the effectiveness of the techniques used in this campaign.
Threat actors are demonstrating a sophisticated understanding of both social engineering and software vulnerabilities. Their use of phishing emails, redirect chains (OneDrive to Canva), and seemingly legitimate advertising on platforms like Facebook to distribute these modified installers indicates a multi-pronged attack strategy aimed at maximizing victim compromise. The deliberate modification of ConnectWise settings to suppress user-facing indicators and display deceptive screens reveals a clear intent to maintain stealth and persistence during remote access operations. Relying solely on certificate validation is no longer sufficient when threat actors can manipulate the signed executable's internal configuration without invalidating the signature, placing a special emphasis on relying on end-user education to identify threats similar to this.
Suggested Corrections:
IOCs are available here.
G DATA recommends fellow defenders disallow any ConnectWise samples that have several of the following app.config settings set to false (using regex syntax):
Link(s):
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
Since March 2025, a new wave of attacks, tracked as "EvilConwi," has emerged, exploiting legitimate ConnectWise software through validly signed samples to distribute malware. This follows a previous spike in ConnectWise-related ransomware activity tied to CVE-2024-1708 and CVE-2024-1709 in February 2024. The current threat leverages ConnectWise's poor signing practices, specifically "Authenticode stuffing," which allows attackers to modify executable behavior without invalidating the certificate’s signature. This enables them to craft seemingly legitimate applications, often distributed via phishing emails and malicious websites advertising fake services like AI image converters, that install malicious ConnectWise clients. These modified clients disable user-facing indicators of remote access, such as tray icons or wallpaper changes, and often display fake Windows Update screens to keep users from interrupting the malicious activity. A significant concern is the widespread failure of security products, even as late as May 2025, to detect these maliciously used ConnectWise samples, leading to widespread infections reported on public forums like BleepingComputer[.]com and Reddit.
Security Officer Comments:
The "EvilConwi" campaign represents a concerning evolution in threat actor tactics, highlighting a critical blind spot in current cybersecurity defenses. The manipulation of validly signed software, particularly through techniques like Authenticode stuffing, significantly complicates detection for traditional antivirus solutions that primarily rely on signature-based verification. The fact that these malicious ConnectWise samples largely evade detection months after their initial appearance is a testament to the effectiveness of the techniques used in this campaign.
Threat actors are demonstrating a sophisticated understanding of both social engineering and software vulnerabilities. Their use of phishing emails, redirect chains (OneDrive to Canva), and seemingly legitimate advertising on platforms like Facebook to distribute these modified installers indicates a multi-pronged attack strategy aimed at maximizing victim compromise. The deliberate modification of ConnectWise settings to suppress user-facing indicators and display deceptive screens reveals a clear intent to maintain stealth and persistence during remote access operations. Relying solely on certificate validation is no longer sufficient when threat actors can manipulate the signed executable's internal configuration without invalidating the signature, placing a special emphasis on relying on end-user education to identify threats similar to this.
Suggested Corrections:
IOCs are available here.
G DATA recommends fellow defenders disallow any ConnectWise samples that have several of the following app.config settings set to false (using regex syntax):
- (Support|Access)?HideWallpaperOnConnect
- (Support|Access)?ShowBalloonOnHide
- (Support|Access)?ShowBalloonOnConnect
- (Support|Access)?ShowSystemTrayIcon
- (Support|Access)?ShowCloseDialogOnExit
Link(s):
https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware