Threat Actors abuse signed ConnectWise application as malware builder

SUMMARY :

Since March 2025, there has been an increase in infections using validly signed ConnectWise samples. Threat actors are exploiting ConnectWise's authenticode stuffing practices to create and distribute their own signed malware. The malicious samples use modified settings in the certificate table to influence critical behavior and user interface elements, such as connection URLs, ports, icons, and messages. This allows attackers to disguise their remote access tools as legitimate software or fake Windows updates. The article provides recommendations for threat detection and prevention, including specific app.config settings to look out for and a YARA rule for detection.

OPENCTI LABELS :

fake updates,remote access,cve-2024-1708,cve-2024-1709,connectwise,certificate abuse,signed malware,authenticode stuffing,evilconwi,unauthenticated attributes


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Actors abuse signed ConnectWise application as malware builder