Attackers exploit Windows screensaver files to install remote access tools

Published: 5 February 2026
Phishing screensaver
Getty Images

A new spearphishing campaign is exploiting a little-used entry point into corporate networks: Windows screensaver files – a format many users and even security controls don’t typically treat as high risk.

Security researchers at ReliaQuest say the activity has been “identified against multiple customers” and relies on a simple but effective delivery chain.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

In a blog published this week, researchers report that employees typically receive business-themed phishing emails directing them to an external download hosted on consumer cloud services.

The file appears to be a routine document — for instance, “invoice details” or “Project summary” — but it is actually a Windows screensaver file (.scr).

Despite the familiar name, .scr files are executable programs, functionally similar to .exe files. When opened, they can run arbitrary code. Many companies do not block them, and many users don’t recognize them as potentially malicious.

In the recorded attacks, launching the screensaver triggers the silent installation of a legitimate remote monitoring and management (RMM) tool, including software such as SimpleHelp.

Installation artifacts appear in directories like “C:\ProgramData\JWrapper-Remote Access\,” and the system initiates outbound connections to infrastructure not associated with sanctioned IT support.

Because the software is legitimate and commonly used by administrators, its behavior can blend into normal operations, allowing attackers to gain remote access while avoiding traditional malware alerts.

Screensavers used to quietly install remote access tools

The delivery chain is designed to reduce scrutiny. Files are hosted on trusted services such as GoFile, limiting reliance on attacker-controlled infrastructure and making takedown or blocking more difficult.

ADVERTISEMENT

The use of a screensaver an overlooked executable type also helps bypass controls turned primarily to .exe or .msi files.

Once installed, the RMM agent provides persistent access that can survive reboots and user logouts. Researchers observed network activity suggesting potential command-and-control communications.

From there, attackers could escalate privileges, harvest credentials, move laterally across the networks, steal sensitive data, or deploy ransomware.

Previous incidents show how this tactic can scale

According to researchers, this campaign fits a broader pattern of attackers using trusted delivery methods instead of obvious malware.

In June 2025, CISA reported that threat group DragonForce exploited weaknesses in remote deployments to access downstream organisations, exfiltrate data, and encrypt systems – highlighting the business impact when remote-access tools fall outside the usual scope.

According to researchers, what makes the current campaign stand out is the emphasis on screensaver files as the initial execution method.

“It stands out because, unlike typical attacks, this marks the first time we’ve identified a campaign using business-themed lures to persuade users to download a .scr file—an often-overlooked executable—that then deploys an RMM tool for durable access and follow-on actions with unusual effectiveness.”

ReliaQuest.

Researchers add that the technique is repeatable and adaptable: attackers can change the cloud hosting service, rotate the RMM software, or modify the phishing lure while keeping the same core workflow.

The advice is to treat screensavers as executable content: remote access tools need to be tightly governed, and unusual installations or outbound connections should be investigated quickly.

ADVERTISEMENT

A single click on what appears to be a harmless file can quietly establish long-term access – and create a pathway to data theft or ransomware.

Reliquest predicted that it would continue to see “living-off-the-land” use of legitimate remote-access tools.

“If RMM agents can be installed without strong governance, monitoring, and rapid containment, attackers will continue to treat them as a reliable path to persistence—and a launchpad for ransomware and data theft.”

Unlock more exclusive Cybernews content on YouTube

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT