ConnectUnwise Threat actors abuse ConnectWise as builder for signed malware

Source: G Data

Excerpt:
“ConnectWise abuse 2024-2025

This isn’t the first time that ConnectWise has been used by threat actors. Back in February 2024, we saw a spike in ransomware activity tied to two ConnectWise vulnerabilities: CVE-2024-1708 and CVE-2024-1709.

Around March 2025, a new wave of ConnectWise abuse started showing up, now being tracked under the name “EvilConwi”.

When people suspect an infection, they often turn to the Internet for help. “UNITE against malware” forums (such as BleepingComputer.com) provide disinfection assistance in such cases. Several threads on BleepingComputer’s forums show unwanted ConnectWise clients as the culprit of the infection, usually with phishing emails as the starting point. The existence of several posts like these indicates a failure of security programs to prevent the threat. Even in May 2025, most antivirus products did not detect maliciously used ConnectWise samples as malware.

In one BleepingComputer case, the origin of infection is a phishing email with a OneDrive link that promises to show a large document. The link redirects to a Canva page with a “View PDF” button which downloads and runs a ConnectWise installer. The user describes “fake Windows Update screens” and their mouse “moving on its own randomly”. Aside from those indicators, there were no other visible signs for the active remote connection.

Reddit users have also reported similar incidents; for example, in one case, a maliciously crafted ConnectWise sample originated from a website offering an AI-based image converter. According to the original poster, the site had been advertised on Facebook.”

To read the complete article, see: G Data