In a novel approach to spear phishing, threat actors are using Windows screensaver files (.scr) to get past defender lines and compromise organizations.
ReliaQuest Threat Research published research today detailing how attackers lured multiple users into running a Windows screensaver file, which installs a remote monitoring and management (RMM) tool, giving the attacker interactive remote control over the target’s operating system.
Exploiting unusual file types isn’t unheard of; APTs and the like have long exploited Windows shortcut files to execute malicious code, for example. The screensaver attack is a novel twist on this kind of thing. It’s a file type many people don’t think about in their day-to-day lives but, as ReliaQuest’s Andrew Adams points out in the research blog post, “they’re executables that don’t always receive executable-level controls.”
“The risk persists because of a gap between perception and reality. In Windows, .scr files are portable executable (PE) programs that can run arbitrary code. This means that .scr files, which many users may not realize are executable, can be exploited by attackers to execute malicious code,” Adams wrote. “Without proper restrictions in application control policies or user awareness, these files pose a significant security risk, potentially leading to unauthorized access, data breaches, or malware infections.”
How Threat Actors Exploit Screensaver Files
The initial access observed is a business-themed phishing lure, such as an email request to view an invoice or project summary. The target is linked to an “.scr” file hosted on a cloud storage platform hosted outside the recipient’s organization. The user is expected to download and execute the file, which has a higher likelihood of bypassing security tools due to the unusual file type.
The file installs an otherwise legitimate RMM tool, JWrapper, and the file enables the attacker to connect to it. The threat actor connects to attacker infrastructure and uses the RMM tool for “persistent, interactive access that allows attackers to maintain a foothold within the environment and quietly prepare for further malicious actions.” Follow-on activity could consist of data theft, lateral movement, and ransomware deployment against a compromised organization.
“This campaign is a reminder that trusted services and legitimate tools can still be the delivery path. For attackers, it’s efficient, lowers the technical barrier, and reduces reliance on attacker-owned infrastructure, making infiltration, evasion, and long-term access easier,” Andrews wrote. “It’s also highly reusable. Swap the cloud service, change the lure, rotate the remote-access tool, but the workflow stays the same, which makes this technique both scalable and adaptable.”
ReliaQuest said that although it’s not sure exactly who the threat actor is behind the campaign yet, the attack has been observed across multiple customers.
“Unfortunately, there is no attribution at this time,” a ReliaQuest spokesperson tells Dark Reading. “The threat actors are abusing consumer cloud storage, which does not allow us to see where the source of the activity is coming from. Due to the outbound IPs having no consistent [autonomous system number, or ASN] or infrastructure, there is currently no way to attribute this activity to a threat actor. This suggests that the threat actors are opportunistic compared to a cluster.”
Save Yourself from Malicious Screensavers
This activity is not a one-and-done. The blog post pointed out that in August 2025, attackers were spotted using Windows screensaver files to deploy the remote access Trojan (RAT) “GodRAT” against financial institutions. It happened before, it’s happening now, and it will almost certainly happen again.
To combat this, ReliaQuest recommends a three-pronged action plan for organizations. First and foremost, treat .scr files as the executables they are. Application control solutions (like Windows Defender) can enable execution from trusted, signed, and/or approved sources.
Second, maintain an approved RMM allowlist and alert on unapproved RMM agent installations.
Third, reduce risk from third-party file hosting sites by blocking “non-business file-hosting services at the DNS or web proxy layer.”
