In-Memory Loader Drops ScreenConnect

    Friday, April 10, 2026 In: Threat Research Print

    Date: 04/10/2026

    Severity: Medium

    Summary

    A malware campaign used a fake Adobe Acrobat Reader download to trick users into installing the legitimate ScreenConnect remote access tool for malicious purposes. The attack chain relies on heavy obfuscation and fileless techniques, including VBScript loaders, .NET reflection, and in-memory execution, to evade detection. It also abuses COM objects to bypass UAC and manipulates process attributes to blend with legitimate activity, enabling stealthy persistence and remote access while minimizing forensic traces.

    Indicators of Compromise (IOC) List

    Domains/Urls

    eshareflies.im/ad/

    https://x0.at/qOfN.msi

    drive.google.com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=downloadcccccdcjeegrekhllfijllutvbrrcifehuenfirtelit

    drive.google.com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download

    drive.google.com/uc?id=1xuJR29UP5VcY6Nvwc7TDtt7fmcGGqIVc&export=download

    Hash

    E4B594A18FC2A6EE164A76BDEA980BC0

    07720d8220abc066b6fdb2c187ae58f5

    c36910c4c8d23ec93f6ae7d7a2496ce5

    3EFFADB977EDDD4C48C7850C8DC03B13

    07F95FF34FB330875D80AFADCA3F0D5B

    A7E5DBEC37C8F431D175DFD9352DB59F

    C02448E016B2568173DE3EEDADD80149

    3D389886E95F00FADE1EEA67A6C370D1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://x0.at/qOfN.msi" or url like "https://x0.at/qOfN.msi" or siteurl like "https://x0.at/qOfN.msi" or domainname like "eshareflies.im/ad/" or siteurl like "eshareflies.im/ad/" or domainname like "https://drive.google.com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=downloadcccccdcjeegrekhllfijllutvbrrcifehuenfirtelit" or siteurl like "https://drive.google.com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=downloadcccccdcjeegrekhllfijllutvbrrcifehuenfirtelit" or url like "https://drive.google.com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=downloadcccccdcjeegrekhllfijllutvbrrcifehuenfirtelit" or domainname like "https://drive.google.com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download" or siteurl like "https://drive.google.com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download" or url like "https://drive.google.com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download" or domainname like "https://drive.google.com/uc?id=1xuJR29UP5VcY6Nvwc7TDtt7fmcGGqIVc&export=download" or siteurl like "https://drive.google.com/uc?id=1xuJR29UP5VcY6Nvwc7TDtt7fmcGGqIVc&export=download" or url like "https://drive.google.com/uc?id=1xuJR29UP5VcY6Nvwc7TDtt7fmcGGqIVc&export=download"

    Detection Query 2 :

    md5hash IN ("c36910c4c8d23ec93f6ae7d7a2496ce5","A7E5DBEC37C8F431D175DFD9352DB59F","3D389886E95F00FADE1EEA67A6C370D1","07F95FF34FB330875D80AFADCA3F0D5B","07720d8220abc066b6fdb2c187ae58f5","E4B594A18FC2A6EE164A76BDEA980BC0","3EFFADB977EDDD4C48C7850C8DC03B13","C02448E016B2568173DE3EEDADD80149")

    Reference:    

    https://www.zscaler.com/blogs/security-research/memory-loader-drops-screenconnect#introduction                 


    Tags

    MalwareScreenConnectObfuscation

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.