Screensaver phishing installs remote access tools covertly

ReliaQuest has identified a spearphishing campaign that uses Windows screensaver files to install a legitimate remote monitoring and management (RMM) tool, giving attackers interactive control of compromised machines.

ReliaQuest observed the activity across multiple customers. The campaign uses business-themed lures and a file type that many users, and some security controls, do not treat as executable.

How it works

The attack starts with a targeted email containing a link to a cloud storage service. The link directs the recipient to a download page hosted outside the victim's organisation.

The downloaded payload is a Windows ".scr" file. Attackers disguise it as a routine business document with filenames such as "InvoiceDetails.scr" or "ProjectSummary.scr". In Windows, .scr files are executable programs, even though they are commonly associated with screensavers.

The campaign stood out because ReliaQuest had not previously seen business-themed lures used to persuade users to download a .scr file that then deploys an RMM tool. It described the approach as effective because the file format and surrounding context can appear routine.

In the cases reviewed, a single click on the downloaded .scr file triggered installation of an RMM agent with little or no visible indication to the user. Installation artefacts appeared under C:\ProgramData\JWrapper-Remote Access\, which ReliaQuest treated as a sign of unauthorised deployment.

Once installed, the tool provided persistent access that could survive reboots and user logoffs. It also offered a remote-control interface that can blend into environments where remote support tools are common.

Trusted services

The campaign relies on third-party services to reduce dependence on attacker-owned infrastructure. This can slow takedown efforts and complicate containment when defenders must work with external platforms.

ReliaQuest said the delivery chain sought to evade reputation-based controls by hiding behind trusted services, making early activity appear to be normal business processes and IT administration.

In the examples investigated, compromised hosts initiated outbound connections, including attempts to reach external servers unrelated to sanctioned RMM use. ReliaQuest treated this as a sign of unauthorised remote-access activity.

In observed incidents, attackers used GoFile for file hosting and SimpleHelp as a remote access tool. However, ReliaQuest noted that the technique is not tied to any specific tool; other cloud storage services and remote access products can be used in the same playbook.

Attribution remains unconfirmed. ReliaQuest described the method as repeatable and easy to adapt, noting that attackers can rotate both the hosting provider and the RMM tooling without disrupting the overall chain.

Ransomware risk

Legitimate RMM tools are widely used by IT teams and managed service providers. They often support unattended access, elevated privileges, and encrypted communications, characteristics that can be valuable to attackers when the tools are installed outside governance.

ReliaQuest said the activity can blend into normal IT operations and avoid "classic malware" signals, giving attackers time to pursue follow-on actions, including credential theft, data exfiltration, and ransomware deployment.

ReliaQuest said the campaign fits a broader pattern of threat actors using overlooked executable formats for initial code execution and then relying on remote access for continued control. It cited prior examples, including a case reported by the US Cybersecurity and Infrastructure Security Agency involving DragonForce, in which attackers leveraged remote access as part of a ransomware chain.

ReliaQuest also reported other campaigns that used screensaver files as droppers for remote access tools, including incidents in which .scr files were disguised as financial documents.

Defensive focus

The campaign highlights gaps in controls over executable file types, access to consumer file-hosting services, and the installation and use of remote support tools. ReliaQuest recommended treating .scr files as untrusted executables and restricting execution to non-user-writable locations, such as Downloads, Desktop, and temporary folders.

It also recommended tighter governance of RMM tools through allowlists, plus alerting on first-time or unexpected agent-installation signals. Defenders should watch for new services, scheduled tasks, and new directories under ProgramData that appear after a user executes a downloaded file.

ReliaQuest also suggested reducing exposure to consumer file hosting by blocking non-business services at the DNS or proxy layer, and applying stricter download policies for executable content and archives that may contain executable payloads.

In a statement included in the report, ReliaQuest summarised the shift in attacker tradecraft toward trusted tooling and delivery paths:

"We've observed this campaign across multiple ReliaQuest customers. It stands out because, unlike typical attacks, this marks the first time we've identified a campaign using business-themed lures to persuade users to download a .scr file-an often-overlooked executable-that then deploys an RMM tool for durable access and follow-on actions with unusual effectiveness."

ReliaQuest said attackers are likely to continue exploiting file formats that slip past simplistic allow/deny logic and to keep using legitimate remote-access tools where governance and monitoring are weak.