You know those “You’re invited!” emails that seem totally harmless? Turns out, cybercriminals are using them to sneak remote access trojans (RATs) onto Windows machines.
This phishing trick gets people to download an MSI file that quietly installs ScreenConnect, a real remote support tool, handing attackers total control. We’ve seen it hitting UK users first, but it could spread anywhere.
It all starts with a phishing email posing as a casual party invite. Crooks fake the sender to look like a hacked friend or random contact, throwing in friendly chit-chat like “You’re invited!” to spark your curiosity.
They nudge you to click a link for details, which bounces you to a fake page on something like xnyr[.]digital.
Phishing Email Mechanics
These emails slip in through SMTP with spoofed “From” headers, often hijacking real accounts to seem legit. Subjects like “Party Invite from [Friend’s Name]” make you drop your guard.
The body amps up the FOMO with lines like “RSVP soon!” and a sneaky link labeled “View Invitation.”
One click, and boom, HTTP 302 redirect to the bad guy’s landing page.
It’s dressed up with HTML and CSS to scream party vibes: big “You’re Invited!” text, fake notes reading “[Friend] sent this,” tips for using your Windows laptop, and a JavaScript countdown faking a download.
Stuff like “I opened mine super easy!” pushes you to act fast.
JavaScript kicks off the grab for RSVPPartyInvitationCard.msi automatically with <a download> or window.location.assign().
That 5MB file looks like a fun invite, but nope, it’s a sneaky Windows Installer package.
MSI Execution and ScreenConnect Deployment
When you double-click that MSI, it launches msiexec.exe, Windows’ own installer, and if you click OK on the UAC pop-up, it unpacks everything on the down-low, no big notices.
Here’s what it really does:
- Directory Creation: Sets up shop in C:\Program Files (x86)\ScreenConnect Client\[random-ID]\, like ScreenConnect Client 18d1648b87bb3023. That hex jumble keeps it hidden.
- Binary Deployment: Drops key files such as ScreenConnect.ClientService.exe (the main service), JoinScreenConnect.exe (which starts sessions), and DLLs (ScreenConnect.Client.dll, etc.). Everything’s .NET (v4.0+).
- Service Registration: Makes a sticky Windows service using sc create or registry tweaks in HKLM\SYSTEM\CurrentControlSet\Services\. Name: ScreenConnect Client [random-ID]. Auto-starts as SYSTEM for max power.
- Registry Persistence: Slips into HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for boot survival. Sets C2 in HKLM\SOFTWARE\ScreenConnectClient\[ID]\RelayServer (think attacker domains like abc123.screenconnect.com).
- Network Initialization: Right away, it phones home to relay servers over HTTPS/TCP 443. Switches to WebSockets for two-way chat. First ping sends JSON like {“sessionId”:”[UUID]”,”relay”:”[domain]”}.
No alerts, no icons, nothing on your desktop. Done in under 30 seconds, you might not even notice.
Post-Exploitation: Full Remote Access
Once ScreenConnect is in, the attacker gets the keys to your PC, like a sneaky IT guy, but way worse. Their server catches tunnels from your machine.
What they can do:
- Screen Capture and Control: Watch your screen live at 30+ FPS, hijack mouse/keyboard with Windows hooks like SetWindowsHookEx.
- File Operations: Poke around C:\Users, steal files, drop new ones feels like SMB but remote.
- Process Injection: Fire up PowerShell.exe for sneaky LotL moves.
- Persistence Across Reboots: Service restarts everything; client re-links on boot.
- Evasion Tactics: Traffic looks normal (tons of legit ScreenConnect out there). TLS 1.3 encryption, rotating domains.
Spots to check if you’re hit (IoCs):
| IoC Type | Details |
|---|---|
| File | RSVPPartyInvitationCard.msi; C:\Program Files (x86)\ScreenConnect Client\*.exe |
| Service | ScreenConnect Client [hex-string] (e.g., 18d1648b87bb3023) |
| Registry | HKLM\SOFTWARE\ScreenConnectClient; Run keys with ScreenConnect paths |
| Network | HTTPS to *.screenconnect.com subdomains; xnyr[.]digital resolutions |
| Process | ScreenConnect.ClientService.exe; high CPU on dotnet.exe children |
| Mutex | Global\ScreenConnect_[ID] (prevents multiple installs) |
Why the Attack Succeeds Technically and Psychologically
It works because MSIs get a free pass on UAC, and ScreenConnect is legit, with no AV flags.
Psychologically? Invites feel safe, like peeking at a flyer. Auto-downloads kill hesitation; no barriers.
UK-heavy so far (IP-targeted emails), but easy to tweak for anywhere. Popped up early 2026; variants likely coming.
Detection Techniques
Host-Based:
- Services: sc query | findstr ScreenConnect.
- Processes: tasklist /svc | findstr ScreenConnect.
- Scans: Sigma for MSI drops; YARA for .NET bits like “RelayServer”.
- EDR: Spot msiexec spawning odd services.
Network-Based:
- DNS: Block xnyr[.]digital or wild *.screenconnect.com.
- TLS: Flag SNI to relays.
- Zeek/Suricata: Catch WebSocket after MSI.
Behavioral Analytics:
- UEBA: New services phoning home without being asked.
- Sandbox: Run MSI in Cuckoo; watch services pop.
Mitigation Strategies
For End Users:
- Skip random MSI/EXEs, double-check by calling.
- Block auto-downloads: Set DownloadRestrictions=3 in Chrome.
- If hit: Safe Mode, sc delete [service], msiexec /x {GUID}. Run sfc /scannow.
- Hunt with Autoruns.
For Organizations:
- AppLocker/WDAC: No unsigned MSIs; limit msiexec kids.
- Endpoint Controls: ASR blocks Win32k; no rogue services.
- Email: Enforce DMARC; filter “invitation.msi”.
- Training: Fake phishing drills on invites.
- Hunts: Try this PowerShell:
- text
- Get-WmiObject Win32_Service | Where-Object {$_.Name -like “*ScreenConnect*”} | Select Name, PathName, State
RATs like ScreenConnect, AnyDesk, TeamViewer? They’re 40%+ of detections now (MITRE stats). Crooks love ’em for stealth. Stay ahead, watch for copycats. (Source)
Site: cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
