SYMBOLCOMMON_NAMEaka. SYNONYMS
win.evilconwi (Back to overview)

EvilConwi

EvilConwi is a malicious variant of the legitimate ScreenConnect software by ConnectWise.
This software is a remote access software. Threat actors modify the configuration extensively so that any signs of an active remote connection are removed. EvilConwi often pretends to perform a Windows update by using fake Windows update images embedded in the config. The purpose is to keep the system running while the threat actor connect remotely.

Other EvilConwi signs are fake application icons. E.g., it may pretend to be an installer for Zoom and use its icons and application titles in the ConnectWise config.

References
2025-06-23GdataKarsten Hahn, Lance Go
ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware
EvilConwi
Yara Rules
[TLP:WHITE] win_evilconwi_w0 (20250912 | Settings from app.config that hide the connection of the client. These settings are potentially unwanted)
rule win_evilconwi_w0 { 
	meta: 
		author = "Karsten Hahn @ G DATA CyberDefense" 
		description = "Settings from app.config that hide the connection of the client. These settings are potentially unwanted" 
		sha256 = "1fc7f1ef95f064b6c6f79fd1a3445902b7d592d4ff9989175b7caae66dd4aa50" 
	 
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilconwi"
		malpedia_version = "20250912"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings: 
		$rex_01 = /<setting name="(Access|Support)?ShowBalloonOnConnect"[^>]*>\s*<value>false<\/value>/ 
		$rex_02 = /<setting name="(Access|Support)?HideWallpaperOnConnect"[^>]*>\s*<value>false<\/value>/ 
		$rex_03 = /<setting name="(Access|Support)?ShowBalloonOnHide"[^>]*>\s*<value>false<\/value>/ 
		$rex_04 = /<setting name="(Access|Support)?ShowSystemTrayIcon"[^>]*>\s*<value>false<\/value>/ 
	 
	condition: 
		all of them 
}
Download all Yara Rules