SYMBOLCOMMON_NAMEaka. SYNONYMS
win.evilconwi (Back to overview)

EvilConwi

EvilConwi is a malicious variant of the legitimate ScreenConnect software by ConnectWise.
This software is a remote access software. Threat actors modify the configuration extensively so that any signs of an active remote connection are removed. EvilConwi often pretends to perform a Windows update by using fake Windows update images embedded in the config. The purpose is to keep the system running while the threat actor connect remotely.

Other EvilConwi signs are fake application icons. E.g., it may pretend to be an installer for Zoom and use its icons and application titles in the ConnectWise config.

References
2025-06-23GdataKarsten Hahn, Lance Go
ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware
EvilConwi

There is no Yara-Signature yet.