Hackers abuse UltraVNC, Splashtop, and ScreenConnect to hijack business PCs is attracting attention across the tech world. Analysts, enthusiasts, and industry observers are watching closely to see how this story develops.
This update adds another signal to a fast-moving sector where product decisions, platform changes, and competition can quickly shape the market.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Cybercriminals are abusing a whole swathe of legitimate programs, including Tiflux, UltraVNC, Splashtop, and ScreenConnect to take control of business computers, establish persistence, and continuously exfiltrate sensitive data. This is as reported by security researchers Huntress, who detailed the new campaign in an in-depth research paper.
The attack starts with a carefully crafted phishing email, usually themed around an “updated Service Agreement from Network Solutions”. The email claims that Network Solutions has modified its pricing statements and services and instructs the target to visit a page where they can review and accept the new terms.
Victims that click the provided link are first asked to complete a CAPTCHA, likely to filter out bots and automated analysis. After that, they are asked to download a “secured document” which is just an installer for TIflux, a legitimate commercial (albeit fringe) Remote Monitoring and Management (RMM) tool.
Together with Tiflux, victims are also served other tools, including 7zip, an outdated version of the UltraVNC remote access tool, and a vulnerable driver called HwRwDrv.x64. The latter seems to be the key here, since it allows for potential privilege escalation.
The attackers then use Tiflux to install either Splashtop or ScreenConnect (or, in some cases, both), before proceeding with the main goal – transmitting live screenshots, running platform utilities, establishing persistence, and exfiltrating data.
Huntress saw the attacks in the wild in late February this year. The report doesn’t mention any specific threat actor groups or names, but it does state that TIflux is a Brazilian tool, and that the threat actor’s infrastructure leverages a server domain ending in a Brazilian country-code top-level domain.
In other words, it all points to this being a Brazilian attacker, going after Brazilian targets.
Businesses can defend against RMM abuse by establishing a comprehensive asset inventory of all installed applications, implementing strict application controls, regularly auditing authorized RMMs and cross-referencing them against databases like LOLRMM to find tools frequently abused by threat actors, and reviewing logs for RMM activity.
➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Please logout and then login again, you will then be prompted to enter your display name.
Why This Matters
This development may influence user expectations, future product strategy, and the competitive balance inside the broader technology industry.
Companies in adjacent segments often react quickly to similar moves, which is why stories like this tend to matter beyond a single announcement.
Looking Ahead
The full impact will become clearer over time, but the story already highlights how quickly the modern tech landscape can evolve.
Observers will continue tracking the next steps and how they affect products, users, and the wider market.
