Attackers Use Windows Screensavers to Drop Malware, RMM Tools
Summary
ReliaQuest has flagged a spear‑phishing campaign where attackers abuse Windows screensaver files (.scr) to install remote monitoring and management (RMM) tools and gain persistent access. Because .scr files are portable executables (PE), they can run arbitrary code yet often escape executable‑level controls and user suspicion. In the observed attacks, recipients were lured with business‑themed emails to download an .scr hosted on consumer cloud storage; running the file installed a legitimate RMM (JWrapper) that gave attackers interactive remote control and the opportunity for follow‑on actions such as data theft, lateral movement and ransomware.
Context and relevance
This is a pragmatic, low‑cost technique for attackers: using legitimate services and tools reduces detection risk and makes campaigns easy to scale and adapt. It echoes earlier uses of .scr (for example GodRAT in 2025) and exposes gaps in application control policies, RMM monitoring and user awareness across organisations.
Key Points
- .scr files are PE executables — they can run arbitrary code though many users treat them as harmless screensavers.
- Attackers used business‑themed phishing lures linking to .scr files hosted on consumer cloud storage to increase the chance of bypassing controls.
- The campaign installs a legitimate RMM (JWrapper), giving attackers persistent, interactive access to compromised machines.
- Using trusted cloud hosting and legitimate tools lowers the technical barrier for attackers and complicates attribution.
- ReliaQuest recommendations: treat .scr as executables in app control, maintain an approved RMM allow‑list and block non‑business file‑hosting services at DNS/web proxy layers.
Why should I read this?
Short version: don’t shrug off .scr files — attackers are weaponising them to drop RMM agents and stay invisible. If you manage endpoints or run security ops, read this now so you can stop a single click becoming a full breach. The fixes are straightforward (app control, RMM allow‑lists, block consumer cloud storage) and worth doing before your organisation gets hit.