Skip to main content
close search
site logo

Credential harvesting campaign targets ScreenConnect cloud administrators

Researchers warn that attackers are using compromised Amazon email accounts in spear-phishing attacks that may lead to ransomware infections.

Published Aug. 25, 2025
David Jones's headshot
Reporter
Programming scripts on laptop monitor, unauthorized remote hacking of server
Motortion via Getty Images

A sophisticated credential-harvesting campaign has been targeting ScreenConnect cloud administrators for years and may be opening the door to ransomware attacks, researchers at Mimecast said in a blog post released Monday

The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. The hackers are targeting super-administrator credentials, which provide extensive control of companies’ remote-access infrastructure, according to Mimecast researchers.

“ScreenConnect is a great way for the ransomware group to not only obtain credentials from someone with the correct level of access but understand the organizational assets and then push through malicious content when they are ready,” Mimecast researchers told Cybersecurity Dive.  

The phishing pages use adversary-in-the-middle techniques and an open-source tool called EvilGinx, which the researchers said allow the hackers to bypass authentication and maintain persistence.

The campaign, which began in 2022, has connections to ransomware activity by affiliates of the Qilin group. Attackers can use the super-administrator credentials to install ScreenConnect instances they control on multiple computers at the same time, which helps them move laterally across a network and increases their ability to distribute ransomware, Mimecast researchers said.

Sophos researchers in April warned about an attack against a managed service provider with what appeared to be an authentication alert for a ScreenConnect remote monitoring and management tool. That incident allowed Qilin ransomware affiliates to access administrator credentials and launch downstream attacks.  

“They crafted a phishing email that appeared to be a legitimate ScreenConnect alert, but it was malicious,” Anthony Bradshaw, MDR incident response manager at Sophos, told Cybersecurity Dive. 

Qilin “exfiltrated and encrypted multiple systems,” Bradshaw said, leaving ransom notes for these victims. Sophos has tracked the threat activity under the name STAC4365.

Qilin is a sophisticated ransomware-as-a-service actor linked to multiple high-profile attacks, including one against media giant Lee Enterprises. The group also claimed credit for the attack against Inotiv earlier this month.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Operant Networks Launches Secure AI Sandbox for MCP, Solving the AI POC-to-Production Gap
From Operant Networks
August 11, 2025
Operant Networks logo
Tradewinds Networks and Ecrio Launch Next-Gen Edge AI Infrastructure for Aviation with GuardTo…
From Tradewinds Networks, Inc.
August 22, 2025
Highlands Oncology Data Breach Investigation
From Migliaccio & Rathod LLP
August 05, 2025
DaVita Data Breach Investigated by Migliaccio & Rathod LLP
From Migliaccio & Rathod LLP
August 14, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.