Pulse Detail — Threat Intelligence

PULSE NAME

Threat Actors abuse signed ConnectWise application as malware builder

WHITE PetrP.73 2025-06-29 Modified: 2025-06-29

IOCs

HIGH VOLUME

Since March 2025, there has been a notable rise in malware infections utilizing validly signed ConnectWise software, indicative of bad signing practices exploited by threat actors. This trend is linked to a resurgence of abuse surrounding two vulnerabilities identified in February 2024, specifically CVE-2024-1708 and CVE-2024-1709. The current wave of malicious activities is attributable to a new strain of malware, termed "EvilConwi", which leverages these valid signatures to distribute fraudulent applications. Victims often report infections originating from phishing emails that lead to fake pages masquerading as legitimate applications. For instance, one prevalent scenario involved a user clicking on a OneDrive link that redirected them to a Canva page hiding a malicious ConnectWise installer within a download. Reports indicate that users experience symptoms such as their mouse moving erratically and fake Windows Update prompts during active remote connections, signaling a compromise.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1566 T1036.005 T1204.002 T1553.006 T1567.002

Indicators of Compromise (74)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2024-1708	—	2025-06-29
CVE	CVE-2024-1709	—	2025-06-29
FileHash-MD5	0463fa0bb62c53ef3c8f6a2a7e3ff0d0	MD5 of cb8a1a1e90c29461b0503e2c5deac7b673617477128ee3baea4d8134676c8af4	2025-06-29
FileHash-MD5	04c6a61db7897c883ed8c41db3aaaa2b	MD5 of d6844a6050d5f6c20a3fe12df28e53a2e46559e6c5017576022372e35ab44ff5	2025-06-29
FileHash-MD5	0e15d8e521480f967afc9b3e0e4f565a	MD5 of 41037935246da6f43615d93912bc62811c795ea4082a2bfdbf3eda53a012666e	2025-06-29
FileHash-MD5	105fc1d09518cbf85dd0942febbf04bc	MD5 of 573f1eefac3079790a9ab40bdd3530ce34b1d2d1c6fa6703a5a8d81cb190a458	2025-06-29
FileHash-MD5	5370f6f24eaae4629226bcc09a79a82d	MD5 of 55a228f22f68b8a22967cc5b8b2fcbea66fcaf77bebedfb1f89cd134a0268653	2025-06-29
FileHash-MD5	55ec340886473f2c6e3e2f88fc7a3601	MD5 of 1fc7f1ef95f064b6c6f79fd1a3445902b7d592d4ff9989175b7caae66dd4aa50	2025-06-29
FileHash-MD5	6d3cb1888170c60dad26ff23cdf03cf3	MD5 of 72fe38ad67a26cfd89d1bfc744d33f80277e8eb564b5b92fdac46a9a24d845f3	2025-06-29
FileHash-MD5	7787024c736b43a6341c7c0a08fed67d	MD5 of c0c48de11bc4b70fb546b9a76b6126a355c0a0f4b45ed6b6564d8f3146c9f0af	2025-06-29
FileHash-MD5	7ff3a5a0a2f240f1b14c78eeb50c6303	MD5 of 98e3f74b733d4d44bec7b1bf29f7b0e83299350143ff1e05f0459571cb49c238	2025-06-29
FileHash-MD5	88cb3330f355639da0da85f8de3e8e61	MD5 of 5ccc9ef3e8f7113469f4a46c3aca3939fd53b3561a9fd8ffacd531aa520c5921	2025-06-29
FileHash-MD5	911525671c9fd23005a07459b729b754	MD5 of 67b909bbcce486baba59d66e3b4ec4c74dd64782051a41198085a5b3450d00c9	2025-06-29
FileHash-MD5	92c3cfc9f25013c5d8f2212fcc04c887	MD5 of 540c9ae519ed2e7738f6d5b88b29fb7a86ebfce67914691ce17be62a9b228e0a	2025-06-29
FileHash-MD5	9565d3f701436c3eac8b319e8e60f85f	MD5 of b1c36552556a69ec4264d54be929e458c985b83bbc42fe09714c6dce825ac9a7	2025-06-29
FileHash-MD5	adfdd242fce1477a7e94e48eb502368c	MD5 of 7180238578817d3d62fd01fe4e52d532c8b3d2c25509b5d23cdabeb3a37318fc	2025-06-29
FileHash-MD5	b8b4072f727ff5439dfd5b6d137996c5	MD5 of 6bce39b7d7552dbacbb4bdf06b76b4fed3fbb9fe4042b81be12fbdff92b8d95c	2025-06-29
FileHash-MD5	cc7d6afa15a06b1c74cd510a32a590a5	MD5 of 8fc8727b6ddb28f76e46a0113400c541fb15581d2210814018b061bb250cc0e6	2025-06-29
FileHash-MD5	cd284604ee21d1d9ede8d028c753f2a5	MD5 of 28f46446d711208aa7686cdaea60d3a31e2b37b08db7cfb0ce350fcd357a0236	2025-06-29
FileHash-MD5	dcf7aef6177e82202d4a9db07392b622	MD5 of 6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba	2025-06-29
FileHash-MD5	f729d82c4d34ce7c1c8e821294900ac0	MD5 of 277ef6c0dcaf0e76291fbde0199dda1ca521c03e77dc56c54f5b9af8508e6029	2025-06-29
FileHash-SHA1	07266cd790cac4be7aa33137980aebe5c7658914	SHA1 of cb8a1a1e90c29461b0503e2c5deac7b673617477128ee3baea4d8134676c8af4	2025-06-29
FileHash-SHA1	119f99426817ac8a2b5f02f70a2a41a979c86dfa	SHA1 of d6844a6050d5f6c20a3fe12df28e53a2e46559e6c5017576022372e35ab44ff5	2025-06-29
FileHash-SHA1	174b52d8570e0d4abac30a79939429dd2d004aff	SHA1 of 5ccc9ef3e8f7113469f4a46c3aca3939fd53b3561a9fd8ffacd531aa520c5921	2025-06-29
FileHash-SHA1	4607d33ab7bf4d4b9ab936bac6b7cdb80b50e520	SHA1 of 540c9ae519ed2e7738f6d5b88b29fb7a86ebfce67914691ce17be62a9b228e0a	2025-06-29
FileHash-SHA1	4fff34c6ee8a93d474171c8773714cfa6f6c86e8	SHA1 of 573f1eefac3079790a9ab40bdd3530ce34b1d2d1c6fa6703a5a8d81cb190a458	2025-06-29
FileHash-SHA1	5345b8df5c1a5182ff96c14fd1c5f200611fa1cd	SHA1 of 98e3f74b733d4d44bec7b1bf29f7b0e83299350143ff1e05f0459571cb49c238	2025-06-29
FileHash-SHA1	54ba33e048eb9560c45d80972509b2645b023114	SHA1 of 6bce39b7d7552dbacbb4bdf06b76b4fed3fbb9fe4042b81be12fbdff92b8d95c	2025-06-29
FileHash-SHA1	5ad3e956f269d1a13b058c8d2c8177eb1afdaff7	SHA1 of 55a228f22f68b8a22967cc5b8b2fcbea66fcaf77bebedfb1f89cd134a0268653	2025-06-29
FileHash-SHA1	665f153955fc662524ba45b76a94bf2bbdc2d125	SHA1 of 1fc7f1ef95f064b6c6f79fd1a3445902b7d592d4ff9989175b7caae66dd4aa50	2025-06-29
FileHash-SHA1	82962d1876b03561895156c22a6e68925e01418d	SHA1 of 67b909bbcce486baba59d66e3b4ec4c74dd64782051a41198085a5b3450d00c9	2025-06-29
FileHash-SHA1	876e5a093614b9395d296c8a192479f33e213c0b	SHA1 of 7180238578817d3d62fd01fe4e52d532c8b3d2c25509b5d23cdabeb3a37318fc	2025-06-29
FileHash-SHA1	892a4da30edc5143f3e045d55059e747f743149a	SHA1 of 6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba	2025-06-29
FileHash-SHA1	902969fb9f0e363fc36b24190dcbc55054ffacee	SHA1 of 41037935246da6f43615d93912bc62811c795ea4082a2bfdbf3eda53a012666e	2025-06-29
FileHash-SHA1	c305f0eca93ffcb0ffecb98f7f1a5451cdf9a0d2	SHA1 of b1c36552556a69ec4264d54be929e458c985b83bbc42fe09714c6dce825ac9a7	2025-06-29
FileHash-SHA1	dced9576d539777a0a0827479e96654c3a86795b	SHA1 of 8fc8727b6ddb28f76e46a0113400c541fb15581d2210814018b061bb250cc0e6	2025-06-29
FileHash-SHA1	e0665ff01342ca4ea19361d4386964742d9b47d6	SHA1 of 277ef6c0dcaf0e76291fbde0199dda1ca521c03e77dc56c54f5b9af8508e6029	2025-06-29
FileHash-SHA1	ed02c6f1d5603a4688d74c001155dba38170e20a	SHA1 of c0c48de11bc4b70fb546b9a76b6126a355c0a0f4b45ed6b6564d8f3146c9f0af	2025-06-29
FileHash-SHA1	fd4a2707a7bb0ca7eaeae9cd910c93ba7156c3ea	SHA1 of 72fe38ad67a26cfd89d1bfc744d33f80277e8eb564b5b92fdac46a9a24d845f3	2025-06-29
FileHash-SHA1	ffa4d46dd37ed2b4b79ac605fe7b7555c74ff479	SHA1 of 28f46446d711208aa7686cdaea60d3a31e2b37b08db7cfb0ce350fcd357a0236	2025-06-29
FileHash-SHA256	1fc7f1ef95f064b6c6f79fd1a3445902b7d592d4ff9989175b7caae66dd4aa50	—	2025-06-29
FileHash-SHA256	23ff4f91db852b07c7366a3c3b8be0bade2befccbfea7e183daadb5e31d325c0	—	2025-06-29
FileHash-SHA256	277ef6c0dcaf0e76291fbde0199dda1ca521c03e77dc56c54f5b9af8508e6029	—	2025-06-29
FileHash-SHA256	28f46446d711208aa7686cdaea60d3a31e2b37b08db7cfb0ce350fcd357a0236	—	2025-06-29
FileHash-SHA256	41037935246da6f43615d93912bc62811c795ea4082a2bfdbf3eda53a012666e	—	2025-06-29
FileHash-SHA256	4e5cfd915f44dc263f29e1eaef82b3e2e903ba92b10f88c0eaf89fe5eab82ff5	—	2025-06-29
FileHash-SHA256	540c9ae519ed2e7738f6d5b88b29fb7a86ebfce67914691ce17be62a9b228e0a	—	2025-06-29
FileHash-SHA256	55a228f22f68b8a22967cc5b8b2fcbea66fcaf77bebedfb1f89cd134a0268653	—	2025-06-29
FileHash-SHA256	573f1eefac3079790a9ab40bdd3530ce34b1d2d1c6fa6703a5a8d81cb190a458	—	2025-06-29
FileHash-SHA256	5ccc9ef3e8f7113469f4a46c3aca3939fd53b3561a9fd8ffacd531aa520c5921	—	2025-06-29
FileHash-SHA256	5da9a0d0830c641ffda6be3be7733de469418abedc6fac0cfcd76ba49f8ade2e	—	2025-06-29
FileHash-SHA256	67b909bbcce486baba59d66e3b4ec4c74dd64782051a41198085a5b3450d00c9	—	2025-06-29
FileHash-SHA256	6aa1b9f976624f7965219f1a243de2bebb5a540c7abd4d7a6d9278461d9edc11	—	2025-06-29
FileHash-SHA256	6bce39b7d7552dbacbb4bdf06b76b4fed3fbb9fe4042b81be12fbdff92b8d95c	—	2025-06-29
FileHash-SHA256	6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba	—	2025-06-29
FileHash-SHA256	7180238578817d3d62fd01fe4e52d532c8b3d2c25509b5d23cdabeb3a37318fc	—	2025-06-29
FileHash-SHA256	7287a53167db901c5b1221137b5a1727390579dffd7098b59e6636596b37bc27	—	2025-06-29
FileHash-SHA256	72fe38ad67a26cfd89d1bfc744d33f80277e8eb564b5b92fdac46a9a24d845f3	—	2025-06-29
FileHash-SHA256	8fc8727b6ddb28f76e46a0113400c541fb15581d2210814018b061bb250cc0e6	—	2025-06-29
FileHash-SHA256	98e3f74b733d4d44bec7b1bf29f7b0e83299350143ff1e05f0459571cb49c238	—	2025-06-29
FileHash-SHA256	a6fb2a4be91f6178d8ba0ca345727d1cb7995c3e4a659a68bef306c9eff4b18e	—	2025-06-29
FileHash-SHA256	b1c36552556a69ec4264d54be929e458c985b83bbc42fe09714c6dce825ac9a7	—	2025-06-29
FileHash-SHA256	b61aed288b4527b15907955c7521ff63cc0171087ac0f7fea6c7019a09c96c04	—	2025-06-29
FileHash-SHA256	c0c48de11bc4b70fb546b9a76b6126a355c0a0f4b45ed6b6564d8f3146c9f0af	—	2025-06-29
FileHash-SHA256	cb8a1a1e90c29461b0503e2c5deac7b673617477128ee3baea4d8134676c8af4	—	2025-06-29
FileHash-SHA256	d37e804938cf0a11c111832b509fbecf8a0f3e9373133be108d471d45db75de8	—	2025-06-29
FileHash-SHA256	d6844a6050d5f6c20a3fe12df28e53a2e46559e6c5017576022372e35ab44ff5	—	2025-06-29
FileHash-SHA256	e7f9b9c9205162ddee72a7b7ff86b6524e19c7e8b51f64fdbffc8015c7e8934c	—	2025-06-29
FileHash-SHA256	f55c6160ed57a97c4f0e1c6aa6e3f8f01a966e96a99a29e609ec60e63be11889	—	2025-06-29
YARA	afcc512b3cf2426adeb5ef53cf9a6ed53001478a	Settings from app.config that hide the connection of the client. These settings are potentially unwanted	2025-06-29
domain	bookinginvoiceview.top	—	2025-06-29
domain	fatura-255441144227d55224qo02gx6ql.com	—	2025-06-29
domain	header.data	—	2025-06-29
domain	pefile.directory	—	2025-06-29

References (1)

↗ https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware