Since March 2025, cybersecurity researchers—most notably from G DATA—have observed a surge in malware infections originating from ConnectWise clients. These infections are linked to a sophisticated technique called Authenticode stuffing, which allows attackers to trojanize legitimate software and deploy malware while bypassing traditional security checks.
ConnectWise is a leading software company that provides business management, IT service management (ITSM), and cybersecurity solutions primarily for IT solution providers, managed service providers (MSPs), and technology service providers (TSPs). The company’s mission is to empower IT professionals with software, services, and community support to help them achieve their business goals.
What Is Authenticode Stuffing and How Is It Abused?
Authenticode is a Microsoft code-signing technology that verifies the integrity and origin of software using digital signatures. Normally, any modification to a signed file invalidates its signature. However, some software—including ConnectWise—uses a workaround to store configuration data in the certificate table of the executable, an area not covered by the signature’s hash validation. This practice, intended to avoid re-signing for minor installer customizations, is known as Authenticode stuffing.
Attackers exploit this by injecting malicious configurations and payloads into these unauthenticated attributes within the certificate table. Since Windows does not check the hash of these attributes, the digital signature remains valid, and security software often fails to flag the modified installer as suspicious.
Infection Chain and Attack Details
The campaign, tracked as EvilConwi, typically starts with phishing emails or malicious ads (notably on Facebook) that lure users to download ConnectWise installers from links hosted on services like OneDrive or Canva. These installers, while appearing legitimate and signed, are trojanized. Once executed, they:
• Deploy remote access malware disguised as trusted applications (e.g., Google Chrome, AI tools, fake Windows updates).
• Display fake update screens and suppress system notifications, sometimes even hiding tray icons or connection alerts to keep the attack covert.
• Allow attackers persistent, stealthy remote access to the victim’s system, sometimes accompanied by visible signs such as the mouse moving on its own.
Technical Analysis and Detection
Security researchers found that the only substantial differences between benign and malicious ConnectWise samples are in the certificate table, specifically, the unauthenticated attributes. Attackers use these attributes to store (1) connection URLs, ports, and launch parameters, (2) custom icons, application titles, and fake update images/messages, and (3) settings that disable user alerts and hide the remote connection.
Because these changes do not alter the main executable’s hash, the digital signature remains intact, helping the malware evade detection by most antivirus solutions as of May 2025. Detection now focuses on identifying suspicious configurations in the certificate table, with tools like YARA rules and configuration dumpers targeting these attributes.
Impact and Response
The campaign has led to numerous infections, with users reporting incidents on public forums like BleepingComputer and Reddit. ConnectWise was notified and revoked the implicated digital signature by June 17, 2025, but as of the latest reports, no official statement has been made. Security vendors are updating their detections, and G DATA flags these samples as Win32.Backdoor.EvilConwi or Win32.Riskware.SilentConwi.
