HOMETHREATSEvilConwi
APT / THREAT GROUP

EvilConwi

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

EvilConwi is a malicious variant of the legitimate ScreenConnect software by ConnectWise.

This software is a remote access software. Threat actors modify the configuration extensively so that any signs of an active remote connection are removed. EvilConwi often pretends to perform a Windows update by using fake Windows update images embedded in the config. The purpose is to keep the system running while the threat actor connect remotely.

Other EvilConwi signs are fake application icons. E.g., it may pretend to be an installer for Zoom and use its icons and application titles in the ConnectWise config.

Threat Analysis

EvilConwi is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

EvilConwiwin.evilconwi

External Intelligence

Malpedia: win.evilconwi

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.