Authors:
Alexander Ivanyuk — Senior Director, Technology
Irina Artioli — Cyber Protection Evangelist, TRU Researcher
The Acronis Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis Threat Research Unit (TRU) and sensors. Figures presented here were gathered in June of this year and reflect threats that we detected as well as news stories from the public domain. This report represents a global outlook and is based on more than one million unique endpoints distributed around the world.
Incidents of the month
Hackers are exploiting a technique called Authenticode stuffing to turn legitimate, digitally signed ConnectWise ScreenConnect installers into malware without breaking their signatures. By modifying only the certificate table to insert malicious configurations, attackers retain the file’s trusted status while redirecting it to attacker-controlled servers. This tactic, discovered by G DATA, has been used in phishing campaigns delivering fake documents that install trojanized ScreenConnect clients. Once executed, the malware shows a fake Windows Update screen while secretly establishing remote access. G DATA named the variants Win32.Backdoor.EvilConwi and Win32.Riskware.SilentConwi and reported them to ConnectWise, which has not publicly responded. A similar method was also used to alter SonicWall's NetExtender VPN installer to steal credentials.
These attacks highlight a dangerous shift toward abusing trusted software for stealthy malware delivery, bypassing traditional antivirus defenses that rely on signature validation. Security teams are advised to inspect configuration data within signed binaries and limit the use of remote access tools to reduce exposure.
June malware detections
In June, Acronis Cyber Protect blocked over 980 thousand malware threats on endpoints — a 19.8% increase from May.
The below tables show the percentage of Acronis clients that had at least one malware threat blocked at the endpoint, as well as the normalized percentage of clients with at least one malware detection. The higher the percentage, the higher the risk of a workload in that country being attacked by malware.
Acronis Cyber Protect Cloud protects against both known and never-before-seen threats through a multilayered protection approach. This includes behavior-based detection, AI- and ML-trained detections and anti-ransomware heuristics, which can detect and block encryption attempts and roll back any tampered files automatically without any user interaction.
Additional email security and URL filtering can help you protect against social engineering threats. And your Acronis #CyberFit Score helps you quickly identify systems that need attention, while the integrated patch management makes updating your software to the latest versions simple.
Acronis XDR for Acronis Cyber Protect Cloud brings the visibility needed to understand attacks while simplifying the context for administrators and enabling efficient remediation of any threats.
