โŒ

Normal view

How fake party invitations are being used to install remote access tools

2 February 2026 at 11:18

โ€œYouโ€™re invited!โ€ย 

It soundsย friendly,ย familiarย and quiteย harmless.ย But in aย scamย we recentlyย spotted, thatย simpleย phrase is beingย usedย to trick victims into installing a full remote access tool on theirย Windowsย computersโ€”giving attackers complete control of the system.ย 

What appears to be aย casual party or event invitationย leads toย the silent installation ofย ScreenConnect, a legitimate remoteย supportย toolย quietly installedย in the background and abused byย attackers.ย 

Hereโ€™s how theย scamย works, whyย itโ€™sย effective, andย how to protect yourself.ย 

Theย email: Aย partyย invitationย 

Victims receive an email framed as a personal invitationโ€”often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.ย 

In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donโ€™t know.

So far,ย weโ€™veย only seenย thisย campaignย targetingย peopleย in theย UK,ย butย thereโ€™s nothingย stoppingย it from expandingย elsewhere.ย 

Clicking the link in the email leadsย to a polishedย invitationย page hosted on an attacker-controlled domain.ย 

Party invitation email from a contact

Theย invite: Theย landing pageย thatย leads to an installerย 

The landing page leans heavily into theย partyย theme,ย but instead of showing event details, the pageย nudgesย the user toward opening a file. None of them look dangerous on their own, but together theyย keep the user focused on theย โ€œinvitationโ€ย file:ย 

  • A boldย โ€œYouโ€™re Invited!โ€ย headlineย 
  • The suggestion that aย friend had sent the invitationย 
  • Aย messageย sayingย the invitation is best viewed on aย Windows laptop or desktop
  • A countdownย suggestingย yourย invitation is already โ€œdownloadingโ€ย 
  • A message implying urgency and social proof (โ€œI opened mine and it was so easy!โ€)ย 

Within seconds, the browser is redirected to downloadย RSVPPartyInvitationCard.msiย 

The page even triggers the download automatically to keep the victim moving forward without stopping to think.ย 

This MSI fileย isnโ€™tย an invitation.ย Itโ€™sย an installer.ย 

The landing page

Theย guest: What the MSIย actuallyย doesย 

When theย user opens theย MSI file, it launchesย msiexec.exeย andย silentlyย installsย ScreenConnectย Client, a legitimate remote access tool often used by IT support teams.ย ย 

Thereโ€™sย noย invitation, RSVP form, or calendar entry.ย 

What happens instead:ย 

  • ScreenConnectย binaries areย installedย underย C:\Program Files (x86)\ScreenConnectย Client\ย 
  • Aย persistent Windows serviceย is createdย (for example,ย ScreenConnectย Clientย 18d1648b87bb3023)ย 
  • ScreenConnectย installsย multiple .NET-based componentsย 
  • There is no clear user-facingย indicationย that a remote access tool is being installedย 

From the victimโ€™s perspective,ย very littleย seems to happen. But at this point, the attackerย can now remotely accessย theirย computer.ย 

Theย after-party: Remoteย accessย isย establishedย 

Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectโ€™s relay servers, including a uniquely assigned instance domain.

That connectionย givesย the attacker theย same level of access as a remote ITย technician, including theย ability to:ย 

  • Seeย the victimโ€™s screen in real time
  • Controlย theย mouse and keyboardย 
  • Upload or downloadย filesย 
  • Keepย accessย even after the computer is restartedย 

Becauseย ScreenConnectย is legitimate softwareย commonlyย usedย for remote support,ย its presenceย isnโ€™tย always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnโ€™t remember installing.ย 

Whyย thisย scamย worksย 

This campaign is effective because it targetsย normal, predictable human behavior. From a behavioral security standpoint, it exploitsย our naturalย curiosityย andย appears to beย a lowย risk.ย 

Most peopleย donโ€™tย think of invitations as dangerous. Opening one feels passive,ย like glancing at a flyer or checking a message, not installing software.ย 

Even security-aware users are trained to watch out for warnings and pressure. A friendly โ€œyouโ€™re invitedโ€ messageย doesnโ€™tย trigger those alarms.ย 

By the time something feels off, the software is already installed.ย 

Signs your computer may be affectedย 

Watch for:ย 

  • A download or executed file namedย RSVPPartyInvitationCard.msiย 
  • Anย unexpected installation ofย ScreenConnectย Clientย 
  • Aย Windows serviceย namedย ScreenConnectย Clientย with random charactersย ย 
  • Your computer makes outbound HTTPS connections toย ScreenConnectย relay domainsย 
  • Your system resolvesย the invitation-hosting domain used in this campaign,ย xnyr[.]digitalย 

How to stay safeย ย 

This campaign is a reminder that modern attacks oftenย donโ€™tย break inโ€”theyโ€™reย invited in.ย Remote access tools give attackers deep control over a system. Acting quickly can limitย the damage.ย ย 

For individualsย 

If you receive an email like this:ย 

  • Be suspicious of invitations that ask you to download or open softwareย 
  • Never run MSI files from unsolicited emailsย 
  • Verify invitations through another channel before opening anythingย 

If you already clicked or ran the file:ย ย 

  • Disconnect from the internetย immediatelyย 
  • Check forย ScreenConnectย and uninstall it if presentย 
  • Run a full security scanย 
  • Change important passwords from a clean, unaffected deviceย 

Forย organisationsย (especially in the UK)ย 

  • Alert onย unauthorizedย ScreenConnectย installations
  • Restrict MSI execution whereย feasibleย 
  • Treat โ€œremote support toolsโ€ as high-risk software
  • Educate users:ย invitationsย donโ€™tย come as installersย 

This scam works by installing a legitimate remote access tool without clear user intent. Thatโ€™s exactly the gap Malwarebytes is designed to catch.

Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youโ€™re then given a choice: confirm that the tool is expected and trusted, or remove it if it isnโ€™t.


We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

How fake party invitations are being used to install remote access tools

2 February 2026 at 11:18

โ€œYouโ€™re invited!โ€ย 

It soundsย friendly,ย familiarย and quiteย harmless.ย But in aย scamย we recentlyย spotted, thatย simpleย phrase is beingย usedย to trick victims into installing a full remote access tool on theirย Windowsย computersโ€”giving attackers complete control of the system.ย 

What appears to be aย casual party or event invitationย leads toย the silent installation ofย ScreenConnect, a legitimate remoteย supportย toolย quietly installedย in the background and abused byย attackers.ย 

Hereโ€™s how theย scamย works, whyย itโ€™sย effective, andย how to protect yourself.ย 

Theย email: Aย partyย invitationย 

Victims receive an email framed as a personal invitationโ€”often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.ย 

In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donโ€™t know.

So far,ย weโ€™veย only seenย thisย campaignย targetingย peopleย in theย UK,ย butย thereโ€™s nothingย stoppingย it from expandingย elsewhere.ย 

Clicking the link in the email leadsย to a polishedย invitationย page hosted on an attacker-controlled domain.ย 

Party invitation email from a contact

Theย invite: Theย landing pageย thatย leads to an installerย 

The landing page leans heavily into theย partyย theme,ย but instead of showing event details, the pageย nudgesย the user toward opening a file. None of them look dangerous on their own, but together theyย keep the user focused on theย โ€œinvitationโ€ย file:ย 

  • A boldย โ€œYouโ€™re Invited!โ€ย headlineย 
  • The suggestion that aย friend had sent the invitationย 
  • Aย messageย sayingย the invitation is best viewed on aย Windows laptop or desktop
  • A countdownย suggestingย yourย invitation is already โ€œdownloadingโ€ย 
  • A message implying urgency and social proof (โ€œI opened mine and it was so easy!โ€)ย 

Within seconds, the browser is redirected to downloadย RSVPPartyInvitationCard.msiย 

The page even triggers the download automatically to keep the victim moving forward without stopping to think.ย 

This MSI fileย isnโ€™tย an invitation.ย Itโ€™sย an installer.ย 

The landing page

Theย guest: What the MSIย actuallyย doesย 

When theย user opens theย MSI file, it launchesย msiexec.exeย andย silentlyย installsย ScreenConnectย Client, a legitimate remote access tool often used by IT support teams.ย ย 

Thereโ€™sย noย invitation, RSVP form, or calendar entry.ย 

What happens instead:ย 

  • ScreenConnectย binaries areย installedย underย C:\Program Files (x86)\ScreenConnectย Client\ย 
  • Aย persistent Windows serviceย is createdย (for example,ย ScreenConnectย Clientย 18d1648b87bb3023)ย 
  • ScreenConnectย installsย multiple .NET-based componentsย 
  • There is no clear user-facingย indicationย that a remote access tool is being installedย 

From the victimโ€™s perspective,ย very littleย seems to happen. But at this point, the attackerย can now remotely accessย theirย computer.ย 

Theย after-party: Remoteย accessย isย establishedย 

Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectโ€™s relay servers, including a uniquely assigned instance domain.

That connectionย givesย the attacker theย same level of access as a remote ITย technician, including theย ability to:ย 

  • Seeย the victimโ€™s screen in real time
  • Controlย theย mouse and keyboardย 
  • Upload or downloadย filesย 
  • Keepย accessย even after the computer is restartedย 

Becauseย ScreenConnectย is legitimate softwareย commonlyย usedย for remote support,ย its presenceย isnโ€™tย always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnโ€™t remember installing.ย 

Whyย thisย scamย worksย 

This campaign is effective because it targetsย normal, predictable human behavior. From a behavioral security standpoint, it exploitsย our naturalย curiosityย andย appears to beย a lowย risk.ย 

Most peopleย donโ€™tย think of invitations as dangerous. Opening one feels passive,ย like glancing at a flyer or checking a message, not installing software.ย 

Even security-aware users are trained to watch out for warnings and pressure. A friendly โ€œyouโ€™re invitedโ€ messageย doesnโ€™tย trigger those alarms.ย 

By the time something feels off, the software is already installed.ย 

Signs your computer may be affectedย 

Watch for:ย 

  • A download or executed file namedย RSVPPartyInvitationCard.msiย 
  • Anย unexpected installation ofย ScreenConnectย Clientย 
  • Aย Windows serviceย namedย ScreenConnectย Clientย with random charactersย ย 
  • Your computer makes outbound HTTPS connections toย ScreenConnectย relay domainsย 
  • Your system resolvesย the invitation-hosting domain used in this campaign,ย xnyr[.]digitalย 

How to stay safeย ย 

This campaign is a reminder that modern attacks oftenย donโ€™tย break inโ€”theyโ€™reย invited in.ย Remote access tools give attackers deep control over a system. Acting quickly can limitย the damage.ย ย 

For individualsย 

If you receive an email like this:ย 

  • Be suspicious of invitations that ask you to download or open softwareย 
  • Never run MSI files from unsolicited emailsย 
  • Verify invitations through another channel before opening anythingย 

If you already clicked or ran the file:ย ย 

  • Disconnect from the internetย immediatelyย 
  • Check forย ScreenConnectย and uninstall it if presentย 
  • Run a full security scanย 
  • Change important passwords from a clean, unaffected deviceย 

Forย organisationsย (especially in the UK)ย 

  • Alert onย unauthorizedย ScreenConnectย installations
  • Restrict MSI execution whereย feasibleย 
  • Treat โ€œremote support toolsโ€ as high-risk software
  • Educate users:ย invitationsย donโ€™tย come as installersย 

This scam works by installing a legitimate remote access tool without clear user intent. Thatโ€™s exactly the gap Malwarebytes is designed to catch.

Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youโ€™re then given a choice: confirm that the tool is expected and trusted, or remove it if it isnโ€™t.


We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

A Beginnerโ€™s Guide to the CVE Database

20 November 2025 at 02:47
A Beginnerโ€™s Guide to the CVE Database

Keeping websites and applications secure starts with knowing which vulnerabilities exist, how severe they are, and whether they affect your stack. Thatโ€™s exactly where the CVE program shines. Below, weโ€™ll cover some CVE fundamentals, including what they are, how to search and understand the data, and how to translate this information into actionable steps.

Introduction to the CVE database
So, what is CVE?

CVE stands for Common Vulnerabilities and Exposures, a community-driven program that assigns unique identifiers to publicly known vulnerabilities.

Continue reading A Beginnerโ€™s Guide to the CVE Database at Sucuri Blog.

GoSpoofย โ€“ Turning Attacks into Intelย 

By: BHIS
29 October 2025 at 15:00

Imagine this: Youโ€™re an attacker ready to get their hands on valuable data that you can sell to afford going on a sweet vacation. You do your research, your recon, everything, ensuring that thereโ€™s no way this can go wrong. The day of the attack, you brew some coffee, crack your knuckles, and get started. A few hours into the service scan, you come to realize that all the network ports are open, but in use.

The post GoSpoofย โ€“ Turning Attacks into Intelย  appeared first on Black Hills Information Security, Inc..

Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2)

By: BHIS
1 October 2025 at 16:00

But what if we need to wrangle Windows Event Logs for more than one system? In part 2, weโ€™ll wrangle EVTX logs at scale by incorporating Hayabusa and SOF-ELK into my rapid endpoint investigation workflow (โ€œREIWโ€)!ย 

The post Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) appeared first on Black Hills Information Security, Inc..

Stop Spoofing Yourself! Disabling M365 Direct Send

By: BHIS
20 August 2025 at 16:00

Remember the good โ€˜ol days of Zip drives, Winamp, the advent of โ€œOffice 365,โ€ and copy machines that didnโ€™t understand email authentication? Okay, maybe they werenโ€™t so good! For a [โ€ฆ]

The post Stop Spoofing Yourself! Disabling M365 Direct Send appeared first on Black Hills Information Security, Inc..

DNS Triage Cheatsheet

By: BHIS
6 August 2025 at 17:00

DNS Triage is a reconnaissance tool that finds information about an organization's infrastructure, software, and third-party services as fast as possible. The goal of DNS Triage is not to exhaustively find every technology asset that exists on the internet. The goal is to find the most commonly abused items of interest for real attackers.

The post DNS Triage Cheatsheet appeared first on Black Hills Information Security, Inc..

Burp Suite Cheatsheet

By: BHIS
6 August 2025 at 17:00

Burp Suite is an intercepting HTTP proxy that can also scan a web-based service for vulnerabilities. A tool like this is indispensable for testing web applications. Burp Suite is written in Java and comes bundled with a JVM, so it works on any operating system you're likely to use.

The post Burp Suite Cheatsheet appeared first on Black Hills Information Security, Inc..

Impacket Cheatsheet

By: BHIS
6 August 2025 at 17:00

Impacket is an extremely useful tool for post exploitation. It is a collection of Python scripts that provides low-level programmatic access to the packets and for some protocols, such as DCOM, Kerberos, SMB1, and MSRPC, the protocol implementation itself.

The post Impacket Cheatsheet appeared first on Black Hills Information Security, Inc..

Wireshark Cheatsheet

By: BHIS
6 August 2025 at 17:00

Wireshark is an incredible tool used to read and analyze network traffic coming in and out of an endpoint. Additionally, it can load previously captured traffic to assist with troubleshooting network issues or analyze malicious traffic to help determine what a threat actor is doing on your network.

The post Wireshark Cheatsheet appeared first on Black Hills Information Security, Inc..

Hashcat Cheatsheet

By: BHIS
6 August 2025 at 17:00

Hashcat is a powerful tool for recovering lost passwords, and, thanks to GPU acceleration, itโ€™s one of the fastest. It works by rapidly trying different password guesses to determine the original password from its scrambled (hashed) version.

The post Hashcat Cheatsheet appeared first on Black Hills Information Security, Inc..

Nmap Cheatsheet

By: BHIS
6 August 2025 at 17:00

Nmap is a powerful open-source tool commonly used by system/network administrators and security professionals to perform network discovery, security auditing, and basic vulnerability assessment.

The post Nmap Cheatsheet appeared first on Black Hills Information Security, Inc..

Netcat (nc) Cheatsheetย 

By: BHIS
6 August 2025 at 17:00

Netcat is a network utility tool that has earned the nickname "The Swiss Army Knife" of networking. It can be used for file transfers, chat/messaging between systems, port scanning, and much more.

The post Netcat (nc) Cheatsheetย  appeared first on Black Hills Information Security, Inc..

Detecting ADCS Privilege Escalation

Active Directory Certificate Services (ADCS) is used to manage certificates for systems, users, applications, and more in an enterprise environment. Misconfigurations in ADCS can introduce critical vulnerabilities into an enterprise Active Directory environment.

The post Detecting ADCS Privilege Escalation appeared first on Black Hills Information Security, Inc..

โŒ