From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect

Elastic Security Labs describes an active campaign delivering a newly observed .NET loader named SILENTCONNECT via phishing lures that use Cloudflare Turnstile and Google Drive hosting. The chain uses minimally obfuscated VBScript to run PowerShell that compiles and executes C# in memory; the loader performs PEB masquerading, NT API usage, UAC bypass and adds a Defender exclusion before silently installing a ScreenConnect RMM client that provides hands-on access to victim machines. The report includes YARA detection rules and multiple SHA-256 hashes, domains, and an IP address as observables.