ConnectUnwise: How Threat Actors Abuse ConnectWise installer as Builder for Signed Malware
In March 2025, we noticed and started tracking an unusually high number of ConnectWise-based malware. ConnectWise is a remote desktop application usually used by tech support to provide remote assistance. This new malware campaign weaponized trust in an unexpected way: by delivering validly signed ConnectWise ScreenConnect installers repurposed as remote access malware. These binaries were distributed via phishing emails, cloud platforms or AI related websites. These samples managed to pass traditional AV detection signature checks and appear benign – all while handing attackers control of the victim’s desktop without visible warnings such as tray icons or prompts or with fake Windows update messages and application icons.
A technique known as Authenticode stuffing made this campaign possible. Custom configuration data of ConnectWise such as command-and-control server addresses, user messages, background images or UI suppression flags are embedded into the installer’s certificate table – a section not covered by Authenticode’s hashing. This allows threat actors to build their own remote access malware while retaining ConnectWise’s valid authenticode signature.
Our analysis compared different variations of ConnectWise samples which revealed that only differences between the binaries were found within the certificate data. Using tools such as PortexAnalyzer and Authenticode Lint, we extracted this data, reverse engineered its structure and wrote a config extractor. To detect abused ConnectWise installers, we created YARA rules which search for suspicious configurations strings (such as those controlling UI elements).
While the Certificate Authority has revoked the abused certificate as of June 2025, numerous variations of the malware remain in circulation using similar techniques. In line with this, we’ll be presenting how we have managed to detect this unusual form of malware with the hopes of shifting the balance of power between cyber threats and defense.
Lance Jansen Caoile Go – GData AV Lab Inc
Lance Go is a cybersecurity professional with 3 years of experience in the field. He mainly focuses on malware research and is always on the lookout for new and interesting threats. Throughout his career, he has sought out opportunities to learn from more experienced professionals to continuously refine and improve his own workflow. He is currently pursuing a Master’s Degree in Computer Science at the University of the Philippines Diliman, where his thesis focuses on image-based malware analysis. Outside of academics and work, Lance enjoys a variety of hobbies including freediving, flying drones, playing badminton, and building automations. His friendly and inquisitive nature allows him to meet people from diverse backgrounds and learn skills across a wide range of fields.
Karsten Hahn – GData Cyberdefense AG
Karsten Hahn has a Master’s Degree in Computer Science from HTWK Leipzig. His master thesis about static Portable Executable analysis won the FBTI Award in 2015, which is doted at 1000 Euro. Since 2015 he works for GDATA CyberDefense AG. At the time he started as Malware Analyst, moved to a Lead Engineer position in 2022, where he was responsible for protection engineering of GDATA’s new MEDR product. He became Principal Malware Researcher in 2024 and is now responsible for threat research, blog article writing and internal trainings.