Threat Actors Abuse ConnectWise Configuration to Build a Signed Malware

[Parkinsond]

Content source

https://cybersecuritynews.com/threat-actors-abuse-connectwise-configuration/

A sophisticated malware campaign has emerged that exploits legitimate ConnectWise remote access software to create validly signed malicious applications, representing a significant evolution in cybercriminal tactics.

The campaign primarily spreads through phishing emails containing OneDrive links that redirect victims to deceptive Canva pages with “View PDF” buttons, ultimately downloading malicious ConnectWise installers.

These attacks have been particularly effective because most antivirus products fail to detect the maliciously configured ConnectWise samples as malware, even as late as May 2025.

Victims report experiencing fake Windows update screens and unauthorized mouse movements, indicating active remote connections established by attackers.

The researchers discovered that threat actors are leveraging a technique called “Authenticode stuffing” to embed malicious configurations within the certificate structure of legitimate ConnectWise installers, allowing them to modify application behavior without invalidating the digital signature.

The malware disguises itself as various legitimate applications, including AI-based image converters, Zoom installers, Microsoft Excel setup files, and Adobe updates.

 

[Andy Ful]

The problem was initiated by the vendor of the ConnectWise application. Although it is a legitimate application, it uses “Authenticode stuffing” in a dangerous way:

Vendor practices and end-user risk​

Although authenticode stuffing is common practice, ConnectWise’s decision to influence critical behavior and its user interface with unauthenticated attributes is clearly dangerous. It entices threat actors to build their own remote access malware with custom icons, background images and text, that is signed by a trusted company.

 

[Parkinsond]

The problem was initiated by the vendor of the ConnectWise application. Although it is a legitimate application, it uses “Authenticode stuffing” in a dangerous way:

The risk of signed malware samples you previously warned about before.

 

[Andy Ful]

The risk of signed malware samples you previously warned about before.

We talked about “Authenticode stuffing” two years ago on MT, for example:

Question - Possible to abuse the sections in which are excluded from signature check in a signed executable?

Microsoft allows you to sign an executable, and has a list of certificates to validate those signatures. However it is possible to change the data on a file, while still passing the signature check, allowing you to add or change data in certain parts of it. Does this pose any security risk...

malwaretips.com

The malware noted in the OP is rare because most vendors avoid using “Authenticode stuffing” that could affect critical behavior of the application.