New Campaign Uses Screensavers for RMM-Based Persistence

ReliaQuest details a spearphishing campaign where business-themed lures lead targets to download .scr screensaver executables from consumer cloud hosts; executing the .scr silently installs legitimate RMM agents (artifacts observed under C:\ProgramData\JWrapper-Remote Access) that give attackers persistent, encrypted remote access enabling discovery, data exfiltration, lateral movement, and potential ransomware—the report emphasizes treating .scr as executables, enforcing approved-RMM allowlists, and restricting consumer file-hosting and downloads.