SILENTCONNECT is a multi-stage loader that leverages VBScript, in-memory PowerShell execution, and PEB masquerading to silently deploy the ScreenConnect RMM tool.
www.elastic.co
Elastic Security Labs details SILENTCONNECT, a new loader that silently installs ScreenConnect via a multi-stage chain using Cloudflare/Google Drive hosting, LOLBins and NT native APIs to evade defenses and provide remote access.
https://t.co/Dwr5m7W3b9
Elastic Security Labs is observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The infection begins when users are diverted to a Cloudflare Turnstile CAPTCHA page under the guise of a digital invitation. After the link is clicked, a VBScript file is downloaded to the machine. Upon execution, the script retrieves C# source code, which is then compiled and executed in memory using PowerShell. The final payload observed in these campaigns is ScreenConnect, a remote monitoring and management (RMM) tool used to control victim machines.
This campaign highlights a common theme: attackers abusing living-off-the-land binaries (
LOLBins) to facilitate execution, as well as using trusted hosting providers such as Google Drive and Cloudflare. While the loader is small and straightforward, it appears to be quite effective and has remained under the radar since March 2025.
