HOMETHREATSEvilConwi
MALWARE FAMILY

EvilConwi

Internal ID: win.evilconwi
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

EvilConwi is a malicious variant of the legitimate ScreenConnect software by ConnectWise.

This software is a remote access software. Threat actors modify the configuration extensively so that any signs of an active remote connection are removed. EvilConwi often pretends to perform a Windows update by using fake Windows update images embedded in the config. The purpose is to keep the system running while the threat actor connect remotely.

Other EvilConwi signs are fake application icons. E.g., it may pretend to be an installer for Zoom and use its icons and application titles in the ConnectWise config.

Threat Analysis

EvilConwi is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.evilconwi

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.