{“lastseen”:”2026-02-02T12:05:08″,”description”:”_\u201cYou\u2019re invited!\u201d_ __ \\n\\nIt sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers\u2014giving attackers complete control of the system. \\n\\nWhat appears to be a casual party or event invitation leads to the silent installation of **ScreenConnect** , a legitimate remote support tool quietly installed in the background and abused by attackers. \\n\\nHere\u2019s how the scam works, why it\u2019s effective, and how to protect yourself. \\n\\n## The email: A party invitation \\n\\nVictims receive an email framed as a personal invitation\u2014often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action. \\n\\nIn the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you don’t know.\\n\\nSo far, we\u2019ve only seen this campaign targeting people in the UK, but there\u2019s nothing stopping it from expanding elsewhere. \\n\\nClicking the link in the email leads to a polished invitation page hosted on an attacker-controlled domain. \\n\\n\\n\\n## The invite: The landing page that leads to an installer \\n\\nThe landing page leans heavily into the party theme, but instead of showing event details, the page nudges the user toward opening a file. None of them look dangerous on their own, but together they keep the user focused on the \u201cinvitation\u201d file: \\n\\n * A bold \u201cYou\u2019re Invited!\u201d headline \\n * The suggestion that a friend had sent the invitation \\n * A message saying the invitation is best viewed on a Windows laptop or desktop\\n * A countdown suggesting your invitation is already \u201cdownloading\u201d \\n * A message implying urgency and social proof (_\u201cI opened mine and it was so easy!\u201d_) \\n\\n\\n\\nWithin seconds, the browser is redirected to download `RSVPPartyInvitationCard.msi `\\n\\nThe page even triggers the download automatically to keep the victim moving forward without stopping to think. \\n\\nThis MSI file isn\u2019t an invitation. It\u2019s an installer. \\n\\n\\n\\n## The guest: What the MSI actually does \\n\\nWhen the user opens the MSI file, it launches msiexec.exe and silently installs **ScreenConnect Client**, a legitimate remote access tool often used by IT support teams. \\n\\nThere\u2019s no invitation, RSVP form, or calendar entry. \\n\\nWhat happens instead: \\n\\n * ScreenConnect binaries are installed under `C:\\\\Program Files (x86)\\\\ScreenConnect Client\\\\ `\\n * A persistent Windows service is created (for example, ScreenConnect Client 18d1648b87bb3023) \\n * ScreenConnect installs multiple .NET-based components \\n * There is no clear user-facing indication that a remote access tool is being installed \\n\\n\\n\\nFrom the victim\u2019s perspective, very little seems to happen. But at this point, the attacker can now remotely access their computer. \\n\\n## The after-party: Remote access is established \\n\\nOnce installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnect\u2019s relay servers, including a uniquely assigned instance domain.\\n\\nThat connection gives the attacker the same level of access as a remote IT technician, including the ability to: \\n\\n * See the victim\u2019s screen in real time\\n * Control the mouse and keyboard \\n * Upload or download files \\n * Keep access even after the computer is restarted \\n\\n\\n\\nBecause ScreenConnect is legitimate software commonly used for remote support, its presence isn\u2019t always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesn\u2019t remember installing. \\n\\n## Why this scam works \\n\\nThis campaign is effective because it targets normal, predictable human behavior. From a behavioral security standpoint, it exploits our natural curiosity and appears to be a low risk. \\n\\nMost people don\u2019t think of invitations as dangerous. Opening one feels passive, like glancing at a flyer or checking a message, not installing software. \\n\\nEven security-aware users are trained to watch out for warnings and pressure. A friendly \u201cyou\u2019re invited\u201d message doesn\u2019t trigger those alarms. \\n\\nBy the time something feels off, the software is already installed. \\n\\n## Signs your computer may be affected \\n\\nWatch for: \\n\\n * A download or executed file named `RSVPPartyInvitationCard.msi `\\n * An unexpected installation of **ScreenConnect Client** \\n * A Windows service named ScreenConnect Client with random characters \\n * Your computer makes outbound HTTPS connections to ScreenConnect relay domains \\n * Your system resolves the invitation-hosting domain used in this campaign, xnyr[.]digital \\n\\n\\n\\n## How to stay safe \\n\\nThis campaign is a reminder that modern attacks often don\u2019t break in\u2014they\u2019re invited in. Remote access tools give attackers deep control over a system. Acting quickly can limit the damage.** ****** \\n\\n**For individuals****** \\n\\nIf you receive an email like this: \\n\\n * Be suspicious of invitations that ask you to download or open software \\n * Never run MSI files from unsolicited emails \\n * Verify invitations through another channel before opening anything \\n\\n\\n\\nIf you already clicked or ran the file: \\n\\n * Disconnect from the internet immediately \\n * Check for ScreenConnect and uninstall it if present \\n * Run a full security scan \\n * Change important passwords from a clean, unaffected device \\n\\n\\n\\n**For organisations (especially in the UK)****** \\n\\n * Alert on unauthorized ScreenConnect installations\\n * Restrict MSI execution where feasible \\n * Treat \u201cremote support tools\u201d as high-risk software\\n * Educate users: invitations don\u2019t come as installers \\n\\n\\n\\nThis scam works by installing a legitimate remote access tool without clear user intent. That\u2019s exactly the gap Malwarebytes is designed to catch.\\n\\n**Malwarebytes now detects newly installed remote access tools** and alerts you when one appears on your system. You\u2019re then given a choice: confirm that the tool is expected and trusted, or remove it if it isn\u2019t.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-02-02T10:18:01″,”modified”:”2026-02-02T10:18:01″,”type”:”malwarebytes”,”title”:”How fake party invitations are being used to install remote access tools”,”source”:””,”references”:””,”id”:”MALWAREBYTES:885E2CE20812B8538F9D8885D6E6536E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/02\/how-fake-party-invitations-are-being-used-to-install-remote-access-tools”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-02T12:05:08″,”description”:”_\u201cYou\u2019re invited!\u201d_ __ \\n\\nIt sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-38501","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n