ConnectWise RAT
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Discovery
1 technique
Discovery
Threat actors delivering modern campaigns are using browser and operating system information to deliver increasingly targeted content. This information is collected from the “User-Agent” provided by the browser when victims visit a landing page via a URL embedded in an email or attachment.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A legitimate remote access tool repurposed by threat actors as a remote access trojan in phishing campaigns, often delivered to Windows victims and used to gain access while evading signature-based defenses.
A legitimate remote access tool abused by threat actors and delivered via a malicious website linked from a spoofed Zoom meeting invitation.
Remote Access Trojan delivered via LinkedIn InMail-themed spoofed emails; clicking embedded "Read More" or "Reply To" buttons downloads a ConnectWise RAT installer, enabling remote access/control of the victim system.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.