In-Memory Loader Drops ScreenConnect

ThreatLabz describes a multi-stage, fileless ScreenConnect deployment that begins with an Adobe-themed lure delivering an obfuscated VBScript loader; the loader executes PowerShell to fetch an embedded .NET assembly, compiles and runs it in memory, uses PEB manipulation for process masquerading and abuses auto-elevated COM objects for silent privilege escalation, then downloads and installs ScreenConnect—resulting in remote-access capability on compromised hosts.