Threat actors are increasingly tampering with legitimate ConnectWise remote access applications to hide malicious code and compromise systems, G Data warns.
Investigating numerous reports of malware infections originating from ConnectWise clients, G Data discovered the use of Authenticode stuffing to trojanize legitimate software and deploy malware while bypassing security checks.
Authenticode code signing is a technique that allows developers to verify file integrity, but ConnectWise’s use of a workaround to avoid re-signing the software when creating personalized installers opens the door to abuse.
Specifically, the workaround relies on storing configuration data in the certificate table, and attackers use the same method to hide malicious code in the table.
Called Authenticode stuffing, this technique has been abused as part of a campaign tracked as EvilConwi to deliver malware using modified ConnectWise clients that would pass integrity and authenticity checks.
Because the malicious configurations and payloads are stuffed in the configuration table, Windows does not verify their hashes, and the modified installers do not break the valid digital signature.
Since March 2025, G Data has observed a surge in ConnectWise abuse for malware deployments and its analysis of a modified app iteration revealed that hackers used Authenticode stuffing not only to hide their malicious code, but to completely hide the installation of a ConnectWise client on the system.
The modified software masquerades as an AI-to-image converter and disables various visual indicators that would alert the user that ConnectWise has been installed.
It also fakes a Windows update, displaying an image of an update screen, instructs the user to keep the system online, and shows various deceptive messages and windows titles, likely to hide that threat actors are connected to the infected system.
“Although Authenticode stuffing is common practice, ConnectWise’s decision to influence critical behavior and its user interface with unauthenticated attributes is clearly dangerous. It entices threat actors to build their own remote access malware with custom icons, background images and text, that is signed by a trusted company,” G Data notes.
The security firm notified ConnectWise of the observed attacks on June 12 and noticed that the company revoked the signature of the observed samples on June 17. SecurityWeek emailed ConnectWise for a statement on the attacks and will update this article if the company responds.
Related: ConnectWise Discloses Suspected State-Sponsored Hack
Related: ConnectWise Confirms ScreenConnect Flaw Under Active Exploitation
Related: ConnectWise Rushes to Patch Critical Vulns in Remote Access Tool
Related: SimpleHelp Vulnerability Exploited Against Utility Billing Software Users
