Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a Managed Service Provider (MSP) by mimicking the login page of ScreenConnect, a popular Remote Monitoring and Management (RMM) tool.

The attack, which occurred in January 2025, highlights the growing sophistication of phishing campaigns targeting MSPs to exploit downstream customers.

Sophos’ Managed Detection and Response (MDR) team identified this incident as part of a broader campaign linked to STAC4365, a threat cluster active since 2022.

Using advanced techniques such as adversary-in-the-middle (AITM) frameworks and multi-factor authentication (MFA) bypasses, the attackers gained administrative access to the MSP’s ScreenConnect environment, enabling them to deploy ransomware across multiple customer networks.

Attack Chain Analysis

The attack began with a highly convincing phishing email sent to an MSP administrator.

The email mimicked an authentication alert from ScreenConnect, urging the recipient to review a security notification.

The embedded link redirected the victim to a malicious domain cloud.screenconnect[.]com.ms designed to replicate the legitimate ScreenConnect login page.

Once credentials were entered, the phishing site acted as a proxy, forwarding them to the legitimate ScreenConnect portal while intercepting both login details and time-based one-time passwords (TOTPs).

This allowed the attackers to bypass MFA protections and authenticate as the MSP’s super administrator.

With full administrative privileges, the attackers deployed their own malicious ScreenConnect instance across multiple customer environments.

This enabled them to conduct network reconnaissance, reset user credentials, and execute commands remotely.

They also utilized tools like PsExec, WinRM, and exploits targeting vulnerabilities such as CVE-2023-27532 in Veeam Cloud Backup services to escalate their access further.

Deployment of Qilin Ransomware

After gaining control of the MSP’s environment, the attackers launched Qilin ransomware a Ransomware-as-a-Service (RaaS) program previously known as “Agenda.”

Qilin is known for its double extortion tactics, where victims face both data encryption and public exposure threats via leak sites hosted on Tor or platforms like “WikiLeaksV2.”

Sophos researchers noted that each customer impacted by this attack received a unique ransomware binary with distinct passwords and ransom notes tailored for individual victims.

The ransomware was programmed to disable security features such as Volume Shadow Copy Service (VSS), delete Windows Event Logs, and prevent system recovery by targeting backups.

The Qilin group’s activities underscore the risks associated with supply chain attacks targeting MSPs.

By compromising a single provider, attackers gain access to multiple downstream organizations, amplifying their impact.

This incident also highlights how phishing campaigns have evolved to bypass traditional MFA protections using AITM techniques.

To mitigate such risks, organizations should:

• Implement phishing-resistant authentication methods like FIDO2-based solutions.
• Restrict access to critical applications through conditional access policies tied to managed devices.
• Conduct regular training for employees to identify phishing attempts and suspicious domains.
• Enable endpoint protection mechanisms that guard against safe mode restarts and other evasion tactics.

Sophos has provided detailed indicators of compromise (IOCs) for STAC4365 and Qilin on its GitHub page to assist defenders in identifying similar threats in their environments.

As ransomware groups continue refining their methods, proactive defense measures remain essential for safeguarding critical infrastructure and sensitive data.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!