How fake party invitations are being used to install remote access tools
βYouβre invited!βΒ
It soundsΒ friendly,Β familiarΒ and quiteΒ harmless.Β But in aΒ scamΒ we recentlyΒ spotted, thatΒ simpleΒ phrase is beingΒ usedΒ to trick victims into installing a full remote access tool on theirΒ WindowsΒ computersβgiving attackers complete control of the system.Β
What appears to be aΒ casual party or event invitationΒ leads toΒ the silent installation ofΒ ScreenConnect, a legitimate remoteΒ supportΒ toolΒ quietly installedΒ in the background and abused byΒ attackers.Β
Hereβs how theΒ scamΒ works, whyΒ itβsΒ effective, andΒ how to protect yourself.Β
TheΒ email: AΒ partyΒ invitationΒ
Victims receive an email framed as a personal invitationβoften written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.Β
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donβt know.
So far,Β weβveΒ only seenΒ thisΒ campaignΒ targetingΒ peopleΒ in theΒ UK,Β butΒ thereβs nothingΒ stoppingΒ it from expandingΒ elsewhere.Β
Clicking the link in the email leadsΒ to a polishedΒ invitationΒ page hosted on an attacker-controlled domain.Β

TheΒ invite: TheΒ landing pageΒ thatΒ leads to an installerΒ
The landing page leans heavily into theΒ partyΒ theme,Β but instead of showing event details, the pageΒ nudgesΒ the user toward opening a file. None of them look dangerous on their own, but together theyΒ keep the user focused on theΒ βinvitationβΒ file:Β
- A boldΒ βYouβre Invited!βΒ headlineΒ
- The suggestion that aΒ friend had sent the invitationΒ
- AΒ messageΒ sayingΒ the invitation is best viewed on aΒ Windows laptop or desktop
- A countdownΒ suggestingΒ yourΒ invitation is already βdownloadingβΒ
- A message implying urgency and social proof (βI opened mine and it was so easy!β)Β
Within seconds, the browser is redirected to downloadΒ RSVPPartyInvitationCard.msiΒ
The page even triggers the download automatically to keep the victim moving forward without stopping to think.Β
This MSI fileΒ isnβtΒ an invitation.Β ItβsΒ an installer.Β

TheΒ guest: What the MSIΒ actuallyΒ doesΒ
When theΒ user opens theΒ MSI file, it launchesΒ msiexec.exeΒ andΒ silentlyΒ installsΒ ScreenConnectΒ Client, a legitimate remote access tool often used by IT support teams.Β Β
ThereβsΒ noΒ invitation, RSVP form, or calendar entry.Β
What happens instead:Β
- ScreenConnectΒ binaries areΒ installedΒ underΒ
C:\Program Files (x86)\ScreenConnectΒ Client\Β - AΒ persistent Windows serviceΒ is createdΒ (for example,Β ScreenConnectΒ ClientΒ 18d1648b87bb3023)Β
- ScreenConnectΒ installsΒ multiple .NET-based componentsΒ
- There is no clear user-facingΒ indicationΒ that a remote access tool is being installedΒ
From the victimβs perspective,Β very littleΒ seems to happen. But at this point, the attackerΒ can now remotely accessΒ theirΒ computer.Β
TheΒ after-party: RemoteΒ accessΒ isΒ establishedΒ
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectβs relay servers, including a uniquely assigned instance domain.
That connectionΒ givesΒ the attacker theΒ same level of access as a remote ITΒ technician, including theΒ ability to:Β
- SeeΒ the victimβs screen in real time
- ControlΒ theΒ mouse and keyboardΒ
- Upload or downloadΒ filesΒ
- KeepΒ accessΒ even after the computer is restartedΒ
BecauseΒ ScreenConnectΒ is legitimate softwareΒ commonlyΒ usedΒ for remote support,Β its presenceΒ isnβtΒ always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnβt remember installing.Β
WhyΒ thisΒ scamΒ worksΒ
This campaign is effective because it targetsΒ normal, predictable human behavior. From a behavioral security standpoint, it exploitsΒ our naturalΒ curiosityΒ andΒ appears to beΒ a lowΒ risk.Β
Most peopleΒ donβtΒ think of invitations as dangerous. Opening one feels passive,Β like glancing at a flyer or checking a message, not installing software.Β
Even security-aware users are trained to watch out for warnings and pressure. A friendly βyouβre invitedβ messageΒ doesnβtΒ trigger those alarms.Β
By the time something feels off, the software is already installed.Β
Signs your computer may be affectedΒ
Watch for:Β
- A download or executed file namedΒ
RSVPPartyInvitationCard.msiΒ - AnΒ unexpected installation ofΒ ScreenConnectΒ ClientΒ
- AΒ Windows serviceΒ namedΒ ScreenConnectΒ ClientΒ with random charactersΒ Β
- Your computer makes outbound HTTPS connections toΒ ScreenConnectΒ relay domainsΒ
- Your system resolvesΒ the invitation-hosting domain used in this campaign,Β xnyr[.]digitalΒ
How to stay safeΒ Β
This campaign is a reminder that modern attacks oftenΒ donβtΒ break inβtheyβreΒ invited in.Β Remote access tools give attackers deep control over a system. Acting quickly can limitΒ the damage.Β Β
For individualsΒ
If you receive an email like this:Β
- Be suspicious of invitations that ask you to download or open softwareΒ
- Never run MSI files from unsolicited emailsΒ
- Verify invitations through another channel before opening anythingΒ
If you already clicked or ran the file:Β Β
- Disconnect from the internetΒ immediatelyΒ
- Check forΒ ScreenConnectΒ and uninstall it if presentΒ
- Run a full security scanΒ
- Change important passwords from a clean, unaffected deviceΒ
ForΒ organisationsΒ (especially in the UK)Β
- Alert onΒ unauthorizedΒ ScreenConnectΒ installations
- Restrict MSI execution whereΒ feasibleΒ
- Treat βremote support toolsβ as high-risk software
- Educate users:Β invitationsΒ donβtΒ come as installersΒ
This scam works by installing a legitimate remote access tool without clear user intent. Thatβs exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youβre then given a choice: confirm that the tool is expected and trusted, or remove it if it isnβt.
We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.


