Husain Parvez
Published on: August 27, 2025
A credential harvesting campaign has been targeting ScreenConnect cloud administrators with super admin privileges, raising concerns about ransomware operations. Mimecast researchers said the attacks, tracked as MCTO3030, have been active since 2022 and rely on spear-phishing emails sent from compromised Amazon Simple Email Service accounts.
The messages impersonate ScreenConnect security alerts and direct IT professionals to phishing pages hosted on country code domains. These fake portals use the EvilGinx framework to intercept both usernames and multi-factor authentication codes.
Mimecast researchers told Cybersecurity Dive that “ScreenConnect is a great way for the ransomware group to not only obtain credentials from someone with the correct level of access but understand the organizational assets and then push through malicious content when they are ready.”
The super admin credentials targeted in this campaign give attackers control over remote access systems across entire organizations. Once obtained, they can be used to deploy malicious ScreenConnect clients on multiple endpoints, enabling rapid lateral movement. Sophos has previously linked similar operations to Qilin ransomware affiliates.
“They crafted a phishing email that appeared to be a legitimate ScreenConnect alert, but it was malicious,” said Anthony Bradshaw, MDR incident response manager at Sophos. He added that Qilin actors “exfiltrated and encrypted multiple systems,” leaving ransom notes for victims.
Mimecast said the campaign’s low-volume runs, often fewer than 1,000 emails at a time, have helped it evade detection for years. The company has developed detection rules for Amazon SES abuse, ScreenConnect impersonation domains, and EvilGinx phishing kits. It recommends implementing phishing-resistant MFA such as FIDO2 keys, restricting admin access to managed devices, and reviewing ScreenConnect audit logs for unusual activity.
With ransomware groups continuing to focus on privileged accounts, researchers warn that even trusted infrastructure like Amazon’s email services can be weaponized in persistent campaigns against enterprise administrators.
