New Campaign Uses Screensavers for RMM-Based Persistence

Editor’s note: This report was authored by Andrew Adams.

Key Points

• ReliaQuest investigated a spearphishing campaign in which users are lured into running a Windows screensaver (.scr) file that discreetly installs a legitimate remote monitoring and management (RMM) tool, giving attackers interactive remote control.

• The delivery chain is built to evade reputation-based defenses by hiding behind trusted services. This reduces attacker-owned infrastructure and makes takedown and containment slower and less straightforward.

• The most effective way to defend against this campaign is to treat screensavers and RMM tools like privileged software. Block or strictly limit .scr execution from user-writable locations and enforce an approved-RMM allowlist with alerting on unexpected deployments.

Attackers are abusing Windows screensaver (.scr) files to silently install commonly used remote monitoring and management (RMM) tools to turn trusted software into persistent remote access. Because this activity can blend into normal IT operations and avoid “classic malware” signals, it gives attackers room to escalate into credential theft, data exfiltration, and ransomware deployment.

We’ve observed this campaign across multiple ReliaQuest customers. It stands out because, unlike typical attacks, this marks the first time we’ve identified a campaign using business-themed lures to persuade users to download a .scr file—an often-overlooked executable—that then deploys an RMM tool for durable access and follow-on actions with unusual effectiveness.

Attribution remains unconfirmed, but what matters is the bigger pattern. This campaign is repeatable, scalable, and easy to adapt. Attackers can swap file-hosting providers and RMM tools while keeping the same core playbook. That makes it a reliable intrusion path against organizations that don’t tightly control executable file types (including .scr), consumer file-hosting access, and the installation or use of remote-support tools.

In this report, we break down the campaign and outline proactive measures your security team can implement to reduce risk from this—and similar—threats. We’ll focus on:

• End-to-end delivery chain: How spearphishing emails lead users to externally hosted downloads that install an RMM agent disguised as a legitimate application.

• Why it works: How attackers abuse trust in cloud services and the overlooked risk of .scr files to evade controls, including prior examples of screensaver-based payload delivery and RMM weaponization.

• Defensive priorities: How historical screensaver and RMM abuse should shape current detection and prevention priorities.

Following the Attack Chain from Start to Finish

In this section, we unpick how an attack in this campaign is conducted. We focus on how attackers use an executable Windows screensaver file as a lure and exploit trusted cloud services to stage an unauthorized RMM agent, bypass detection, and potentially achieve persistence.

In this case, attackers used GoFile and SimpleHelp, but the technique isn’t tool-specific. Similar campaigns can apply the same principles using other common cloud storage platforms and remote-access tools.

Initial Access Starts with Business-Themed Lures

The attack starts with a spearphishing email containing a link to a cloud storage platform. The link directs the target to a page hosted outside the victim’s organization.

The payload is a Windows .scr file disguised as a routine business document (for example, “InvoiceDetails.scr” or “ProjectSummary.scr”). The plausible filenames and context increase the likelihood of a user downloading and executing the file.

One Click Triggers a Stealthy RMM Agent Install

The user launches the .scr file from the Downloads folder, which bypasses automatic detection by security tools looking for file extensions, and the following actions take place:

A legitimate, but unauthorized, RMM agent is installed with little or no user-visible indication. Artifacts are written to C:\ProgramData\JWrapper-Remote Access\, which, from our analysis, indicates malicious deployment.

The host initiates outbound connections, including to infrastructure not associated with sanctioned RMM use, suggesting unauthorized remote access.

By pairing a legitimate-looking file and trusted cloud service, the attackers can effectively make early malicious activity look like routine business and IT operations, which helps buy time before defenders recognize what's happening.

Remote Access Sets Up Persistence and Follow-On Actions

Once installed, the RMM agent provides persistent, interactive access that allows attackers to maintain a foothold within the environment and quietly prepare for further malicious actions. In the incidents we investigated, we observed network connections attempting to contact external servers, which signals potential command-and-control (C2) activity. This activity could facilitate:

• Data Theft: Access and exfiltration of sensitive files.

• Lateral Movement: Expansion of access to additional devices within the network.

• Ransomware Deployment: Using the foothold to encrypt files and demand ransom payments.

What This Means for Defenders

This campaign is a reminder that trusted services and legitimate tools can still be the delivery path. For attackers, it’s efficient, lowers the technical barrier, and reduces reliance on attacker-owned infrastructure, making infiltration, evasion, and long-term access easier.

It’s also highly reusable. Swap the cloud service, change the lure, rotate the remote-access tool, but the workflow stays the same, which makes this technique both scalable and adaptable.

Making Intrusions Easier: Screensavers Deliver Persistent Remote Access

This campaign is another example of attackers abusing legitimate tools to catch defenses out. It works by exploiting trust in two places: Users who don’t recognize screensaver files are executables, and security programs that allow legitimate remote access agents to run and communicate without the scrutiny applied to custom malware. The result is a familiar detection challenge where malicious remote control can look like authorized support, especially when remote-access tools aren’t tightly governed.

Remote Access or Remote Control? Why Attackers Abuse RMM Tools

RMM tools are built for enterprise use. They often run with elevated privileges, support unattended access, and communicate over encrypted channels that security programs routinely allow. And that’s exactly why attackers want them, especially in environments without clear controls over which RMM products are permitted and where agents can be installed.

In this campaign, a malicious .scr file kicked off the installation of a legitimate RMM agent, concealed behind a consumer file-hosting workflow to reduce scrutiny. RMM software isn’t inherently malicious. The real risk lies in that, once an agent is installed outside governance, it becomes an attacker-controlled remote access path that can:

• Blend into normal activity because remote support tools are expected, encrypted, and often allowlisted.

• Provide persistent access that survives reboots and user sessions.

• Enable follow-on objectives such as discovery, credential harvesting, data exfiltration, and ransomware deployment.

Like most attacks that abuse legitimate tools, this campaign reinforces yet again that blocking known threats isn’t enough. Organizations must meticulously scrutinize the context of actions and evaluate not just which program is operating, but whether its behavior is appropriate for the user and system within that specific operational environment.

For defenders, the challenge shifts from detecting malware to proving intent. Treat RMM as a privileged access capability: Maintain an approved-RMM allowlist, alert on first-time or unexpected agent installation artifacts (e.g., new services, scheduled tasks, ProgramData directories), and investigate outbound connections to unrecognized RMM infrastructure.

Screensavers Files Are Overlooked Executables

.scr files are a reliable initial-access vector because they’re executables that don’t always receive executable-level controls. When users download and run them from email or cloud links, attackers can trigger code execution while bypassing policies tuned primarily for .exe and .msi files.

The risk persists because of a gap between perception and reality. In Windows, .scr files are portable executable (PE) programs that can run arbitrary code. This means that .scr files, which many users may not realize are executable, can be exploited by attackers to execute malicious code. Without proper restrictions in application control policies or user awareness, these files pose a significant security risk, potentially leading to unauthorized access, data breaches, or malware infections. Yet many organizations don’t explicitly restrict them in application control policies, and many users don’t recognize them as executable content.

Attackers capitalize on this gap and enhance their cover further using business-themed filenames and routine pretexts, just like in this campaign, to deceive unsuspecting users into executing the file. One click, executing a downloaded “screensaver,” can be enough to start an intrusion chain that installs an unauthorized remote-access agent, allows access to multiple devices, and increases the odds of data loss or ransomware-driven downtime.

Proof It Works: Past Remote Access and Screensaver Droppers

This campaign fits a broader pattern of attackers using overlooked executable formats for initial execution and then relying on remote access, either custom malware or legitimate RMM tools, to maintain control and enable ransomware. Examples include:

• August 2025: A campaign targeting financial institutions used malicious Windows screensaver files disguised as financial documents and delivered via communications app. When executed, the screensaver installed the remote-access trojan (RAT) “GodRAT,” demonstrating how these files can bypass user suspicion and certain control gaps to establish remote access.

• June 2025: CISA reported that the “DragonForce” ransomware group exploited a vulnerability in the RMM implementation of a managed service provider (MSP) to access downstream customer environments running unpatched software. The actors used that access to establish secondary persistence, weaken defenses, exfiltrate data, and encrypt systems—illustrating the business impact when RMM is compromised or deployed outside governance.

These cases show how threat actors keep refining the same core approach across campaigns. They use overlooked executable formats and trusted third-party tools to achieve their objectives. These methods work because they bypass user scrutiny and abuse the default trust we typically place in legitimate software and files.

In cases like the DragonForce incident where socially engineered lures (like screensaver files), are combined with supply-chain or third-party gaps, the result is a high-impact initial access path with clear downstream risk. For security teams, the priority is to recognize the pattern and tactics in these campaigns to prevent similar future attacks, because this tradecraft is easy to adapt across industries and organizations.

Step Up Your Defenses Against Screensavers Wrapping RMM Tools

ReliaQuest’s Approach

ReliaQuest GreyMatter equips customers with the tools to quickly detect, contain, investigate, and stop the tactics, techniques, and procedures (TTPs) outlined throughout this report, including:

GreyMatter Transit: Unlike traditional tools that rely on post-event analysis, GreyMatter Transit detects attacks in motion by identifying suspicious .scr executions and RMM staging signals before they are indexed in the SIEM. This enables real-time visibility into evolving threats to reduce dwell time, mitigate credential compromise, and disrupt adversaries.

Agentic AI: After the initial alert, agentic AI investigates the entire attack chain by correlating logs and enriching logs from the suspicious .scr execution through RMM installation. It can then respond by automatically containing the threat, remediating, and generating a complete incident ticket, effectively handling the full incident lifecycle in minutes without waiting on manual analysis.

Detection Rules: ReliaQuest continuously updates detection content to match attacker behavior. Organizations should deploy GreyMatter’s detection rules and Automated Response Playbooks to minimize the risk of compromise from RMM tools disguised as screensaver files and contain associated threats in minutes.

Your Action Plan

To minimize the risk of spearphishing-led installation of an unauthorized RMM agent, and to limit impact if it happens, prioritize the following controls:

• Treat Screensavers as Executables: Treat screensaver .scr files as untrusted executable content. Block or restrict execution from user-writable locations (Downloads, Desktop, and Temp). Use robust application control solutions (e.g., Windows Defender Application Control, AppLocker, or equivalent) to allow execution only from trusted, signed, or explicitly approved locations.

• Govern Legitimate RMM Tools: Maintain an approved-RMM allowlist (vendor/product, signing certificate, hashes where feasible). Alert on unapproved RMM agent installation signals, including new services, scheduled tasks, and unexpected ProgramData directories, created after user-initiated execution.

• Reduce Risk from Consumer File Hosting: Block non-business file-hosting services at the DNS or web proxy layer. Where access is required, enforce browser isolation and download policies that restrict executable content (.scr, .exe, .msi) and archives likely to contain them.

Key Takeaways and What’s Next

This campaign underscores a persistent tactic: threat actors exploiting the trust placed in legitimate platforms and tools. While this attack chain—routing users through reputable cloud services and file-hosting platforms, then using a screensaver (.scr) file to install a remote management agent—represents a novel combination, the underlying strategy is far from new and can be readily replicated with different cloud storage platforms and RMM tools. Because the tool set and traffic can resemble normal operations, defenders often don’t get a “classic malware” signal early enough to stop the chain.

This recurring pattern of legitimate tool abuse demands heightened vigilance from security teams. The mitigations and recommendations in this report are designed not only to defend against this campaign, but also to strengthen defenses against future attacks that use similar tactics. Recent activity reinforces this trend, as we’ve seen social media phishing campaigns and previous abuse of legitimate tools.

Forward View

Attackers will likely keep exploiting file formats and delivery methods that slip past narrow allow/deny logic (simplistic controls that allow or block files based only on a short list of extensions or the “outer” file type). For example, an environment may block .exe but allow .scr without inspecting the executable content inside. Container and archive files are especially common for delivering executable content, including .scr payloads, because they’re low effort, low cost, easy to scale, and often avoid security controls focused primarily on .exe.

At the same time, we expect continued “Living-off-the-Land” use of legitimate remote-access tools. Approved-looking software reduces reliance on custom malware and makes activity easier to blend into normal IT operations. If RMM agents can be installed without strong governance, monitoring, and rapid containment, attackers will continue to treat them as a reliable path to persistence—and a launchpad for ransomware and data theft.