Advisory ID: NCC-CSIRT-2026-006
Summary:
Security researchers have identified an active spearphishing campaign in which threat actors are using Windows screensaver (.scr) files as delivery mechanisms to install legitimate Remote Monitoring & Management (RMM) tools for covert remote access and persistent control. The campaign begins with business-themed phishing (e.g., invoice or project summaries) that directs users to download and execute a .scr file from cloud storage. Because .scr screensavers are portable executable (PE) binaries that can run arbitrary code but are often overlooked by defenders, this vector allows attackers to bypass traditional detection controls and deploy RMM software to maintain access.
Once executed, the malicious screensaver silently installs the RMM agent, which establishes an encrypted remote connection to attacker-controlled infrastructure, enabling interactive remote sessions. Follow-on actions may include credential theft, lateral movement, data exfiltration, and staging for ransomware or other high-impact malware.
Damage/Probability: High/High
Product(s):
- Microsoft Windows operating systems and endpoints
- Remote Monitoring & Management (RMM) tools and agents (e.g., JWrapper-based SimpleHelp or similar)
- Cloud storage hosting services used to deliver malicious files
Version(s):
Not version-specific, affects Windows installations where users are tricked into executing Windows screensaver file types (.scr) without appropriate controls or restrictions.
Platform(s):
- Enterprise and corporate Windows workstations
- Laptops
- Servers with user-interactive endpoints capable of executing screensaver files.
Description:
Windows screensaver files (.scr) are portable executables capable of running arbitrary code, yet are often perceived by users as harmless. In the observed campaign, attackers embed remote monitoring and management (RMM) installers within .scr files hosted on trusted cloud platforms and distribute them via phishing emails using business-themed lures (e.g., “InvoiceDetails.scr”), increasing the likelihood of execution.
When run, the .scr file installs an RMM agent, establishes persistence in system directories, and initiates outbound connections to attacker-controlled servers for remote access. Because RMM tools are commonly used for legitimate administration, their activity blends into normal network behavior, making detection difficult; researchers note this technique is highly adaptable across cloud providers, lures, and RMM variants, limiting the effectiveness of signature-based defenses alone.
Threat Types:
- Spearphishing & social engineering: phishing emails with links to .scr files disguised as benign documents.
- Abuse of executable screensaver files: .scr files executing arbitrary code to install RMM software.
- RMM tool deployment for access & persistence: use of legitimate remote administration software as covert remote access tools.
- Living-off-the-land & defense evasion: use of trusted tools and filetypes to lower detection and raise stealth.
Impacts:
- Attackers gain persistent remote access and control over compromised hosts.
- Remote access allows capture of sensitive user credentials and intellectual property.
- With RMM agents in place, threat actors can propagate to adjacent systems and escalate privileges.
- The foothold may be used to position ransomware, RATs, or other destructive payloads.
- Because scouting and execution leverage legitimate infrastructure and filetypes, traditional signature-based tools may fail to alert.
Solutions:
NCC-CSIRT recommends the following mitigation steps:
- Block .scr execution via AppLocker/WDAC.
- Quarantine endpoints with unauthorized RMM tools.
- Filter and inspect suspicious cloud-hosted email links.
- Scan and hunt for rogue RMM services and processes.
- Train users on .scr and uncommon-extension phishing.
- Enforce least-privilege to prevent unauthorized installs.
- Detect living-off-the-land abuse with behavior analytics.
References: