Attackers use Windows screensaver files to install remote access tools

Security researchers report a phishing campaign that abuses overlooked Windows file types to gain persistent access to corporate systems.

What happened

According to Cybernews, researchers have identified a spearphishing campaign targeting multiple organizations where attackers used Windows screensaver files to deliver remote access software. Employees received business-themed emails directing them to download files hosted on common consumer cloud platforms. Although the files appeared to be routine documents, they were actually screensaver files with a .scr extension, which execute code when opened. Once launched, the file silently installed a legitimate remote monitoring and management tool, allowing attackers to establish access without triggering common malware alerts.

Going deeper

Screensaver files are executable programs that behave similarly to traditional application files, but many security controls do not treat them as high risk. In the observed activity, attackers relied on familiar document names to reduce suspicion and used trusted hosting services to limit detection and takedown efforts. After execution, the remote access software created installation artifacts in system directories and initiated outbound connections that were not associated with approved IT operations. Because the tools involved are commonly used by administrators, their presence can blend into normal activity, giving attackers persistent access that can survive reboots and user logouts. Researchers said this access could later support credential harvesting, lateral movement, data theft, or ransomware deployment.

What was said

According to researchers cited by Cybernews, the campaign stood out because it relied on Windows screensaver files as the initial execution method, rather than more common attachment types. The researchers said the use of .scr files allowed attackers to disguise executable content as something benign while still triggering code execution when opened.

“It stands out because, unlike typical attacks, this marks the first time we’ve identified a campaign using business-themed lures to persuade users to download a .scr file—an often-overlooked executable—that then deploys an RMM tool for durable access and follow-on actions with unusual effectiveness.”

The researchers said the approach was flexible and repeatable, allowing attackers to rotate cloud hosting providers, swap remote management tools, or change phishing lures without altering the underlying workflow. They advised organizations to treat screensaver files as executable content and to investigate unexpected remote tool installations or unusual outbound connections as potential indicators of compromise.

In the know

According to CISA, recent intrusions show attackers relying on legitimate remote access tools instead of custom malware. In a June 2025 advisory, the agency described how the DragonForce group exploited weaknesses in remote deployments at a service provider, then used that access to reach downstream organizations. Once inside, attackers were able to move between connected environments, exfiltrate data, and deploy ransomware.

CISA noted that the activity did not rely on exploiting a single vulnerability. Instead, attackers took advantage of exposed management interfaces, weak authentication, and gaps in monitoring around remote access tools. Because the tools were already authorized and commonly used, the malicious activity blended in with normal operations, delaying detection and allowing the impact to spread beyond the initial point of compromise.

The big picture

As of 2024, a Paubox report found that more than 70% of healthcare data breaches originated from phishing attacks. Many of these incidents did not involve traditional malware, instead relying on email messages that appeared routine or business-related. Campaigns that misuse legitimate tools or less-scrutinized file types often succeed because they move through normal inbox workflows and raise no obvious technical red flags at delivery. Paubox Inbound AI is built to catch these messages at the point of delivery by analyzing sender behavior, message patterns, and intent, even when emails contain no known malware or suspicious links.

FAQs

Why are screensaver files risky?

Screensaver files are executable programs, and when opened, they can run code just like applications, even though many users do not recognize them as such.

Why do attackers prefer legitimate remote access tools?

These tools are widely used by IT teams, so their behavior can appear normal and is less likely to trigger security alerts compared to custom malware.

How do attackers deliver these files?

They commonly use phishing emails with business-related themes and host the files on trusted cloud services to reduce suspicion.

What signs might indicate misuse of a remote access tool?

Unexpected installations, unfamiliar directories, and outbound connections to unknown infrastructure can indicate unauthorized access.

How can organizations reduce exposure?

They can block or restrict executable file types like .scr, enforce strict approval for remote access tools, monitor installations and network traffic, and train staff to verify unexpected downloads.