How fake party invitations are being used to install remote access tools
โYouโre invited!โย
It soundsย friendly,ย familiarย and quiteย harmless.ย But in aย scamย we recentlyย spotted, thatย simpleย phrase is beingย usedย to trick victims into installing a full remote access tool on theirย Windowsย computersโgiving attackers complete control of the system.ย
What appears to be aย casual party or event invitationย leads toย the silent installation ofย ScreenConnect, a legitimate remoteย supportย toolย quietly installedย in the background and abused byย attackers.ย
Hereโs how theย scamย works, whyย itโsย effective, andย how to protect yourself.ย
Theย email: Aย partyย invitationย
Victims receive an email framed as a personal invitationโoften written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.ย
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donโt know.
So far,ย weโveย only seenย thisย campaignย targetingย peopleย in theย UK,ย butย thereโs nothingย stoppingย it from expandingย elsewhere.ย
Clicking the link in the email leadsย to a polishedย invitationย page hosted on an attacker-controlled domain.ย

Theย invite: Theย landing pageย thatย leads to an installerย
The landing page leans heavily into theย partyย theme,ย but instead of showing event details, the pageย nudgesย the user toward opening a file. None of them look dangerous on their own, but together theyย keep the user focused on theย โinvitationโย file:ย
- A boldย โYouโre Invited!โย headlineย
- The suggestion that aย friend had sent the invitationย
- Aย messageย sayingย the invitation is best viewed on aย Windows laptop or desktop
- A countdownย suggestingย yourย invitation is already โdownloadingโย
- A message implying urgency and social proof (โI opened mine and it was so easy!โ)ย
Within seconds, the browser is redirected to downloadย RSVPPartyInvitationCard.msiย
The page even triggers the download automatically to keep the victim moving forward without stopping to think.ย
This MSI fileย isnโtย an invitation.ย Itโsย an installer.ย

Theย guest: What the MSIย actuallyย doesย
When theย user opens theย MSI file, it launchesย msiexec.exeย andย silentlyย installsย ScreenConnectย Client, a legitimate remote access tool often used by IT support teams.ย ย
Thereโsย noย invitation, RSVP form, or calendar entry.ย
What happens instead:ย
- ScreenConnectย binaries areย installedย underย
C:\Program Files (x86)\ScreenConnectย Client\ย - Aย persistent Windows serviceย is createdย (for example,ย ScreenConnectย Clientย 18d1648b87bb3023)ย
- ScreenConnectย installsย multiple .NET-based componentsย
- There is no clear user-facingย indicationย that a remote access tool is being installedย
From the victimโs perspective,ย very littleย seems to happen. But at this point, the attackerย can now remotely accessย theirย computer.ย
Theย after-party: Remoteย accessย isย establishedย
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectโs relay servers, including a uniquely assigned instance domain.
That connectionย givesย the attacker theย same level of access as a remote ITย technician, including theย ability to:ย
- Seeย the victimโs screen in real time
- Controlย theย mouse and keyboardย
- Upload or downloadย filesย
- Keepย accessย even after the computer is restartedย
Becauseย ScreenConnectย is legitimate softwareย commonlyย usedย for remote support,ย its presenceย isnโtย always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnโt remember installing.ย
Whyย thisย scamย worksย
This campaign is effective because it targetsย normal, predictable human behavior. From a behavioral security standpoint, it exploitsย our naturalย curiosityย andย appears to beย a lowย risk.ย
Most peopleย donโtย think of invitations as dangerous. Opening one feels passive,ย like glancing at a flyer or checking a message, not installing software.ย
Even security-aware users are trained to watch out for warnings and pressure. A friendly โyouโre invitedโ messageย doesnโtย trigger those alarms.ย
By the time something feels off, the software is already installed.ย
Signs your computer may be affectedย
Watch for:ย
- A download or executed file namedย
RSVPPartyInvitationCard.msiย - Anย unexpected installation ofย ScreenConnectย Clientย
- Aย Windows serviceย namedย ScreenConnectย Clientย with random charactersย ย
- Your computer makes outbound HTTPS connections toย ScreenConnectย relay domainsย
- Your system resolvesย the invitation-hosting domain used in this campaign,ย xnyr[.]digitalย
How to stay safeย ย
This campaign is a reminder that modern attacks oftenย donโtย break inโtheyโreย invited in.ย Remote access tools give attackers deep control over a system. Acting quickly can limitย the damage.ย ย
For individualsย
If you receive an email like this:ย
- Be suspicious of invitations that ask you to download or open softwareย
- Never run MSI files from unsolicited emailsย
- Verify invitations through another channel before opening anythingย
If you already clicked or ran the file:ย ย
- Disconnect from the internetย immediatelyย
- Check forย ScreenConnectย and uninstall it if presentย
- Run a full security scanย
- Change important passwords from a clean, unaffected deviceย
Forย organisationsย (especially in the UK)ย
- Alert onย unauthorizedย ScreenConnectย installations
- Restrict MSI execution whereย feasibleย
- Treat โremote support toolsโ as high-risk software
- Educate users:ย invitationsย donโtย come as installersย
This scam works by installing a legitimate remote access tool without clear user intent. Thatโs exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youโre then given a choice: confirm that the tool is expected and trusted, or remove it if it isnโt.
We donโt just report on threatsโwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.


















