Threat actors have recently been exploiting the legitimate ConnectWise application to create and distribute malware, significantly increasing infections since March 2025. This manipulation stems from poor signing practices that allow malicious users to embed harmful code within signed applications, thus bypassing many security measures. Reports show a notable rise in the use of ConnectWise samples in phishing schemes, with numerous cases documented on platforms like BleepingComputer and Reddit. Affected users often report unexpected remote connections and suspicious application behavior masquerading as legitimate software. A recent report from G Data, a German-based security firm, states that this wave of software abuse started in March and uses phishing emails to trick victims into installing malicious versions of ConnectWise that the vendor has legitimately signed. According to cybersecurity firm Cofense, the ConnectWise ScreenConnect remote access tool was the most commonly abused legitimate tool in 2024, accounting for 56 percent of all active threat reports involving remote access tools. Researchers have identified a tactic called Authenticode stuffing, which allows attackers to modify software without invalidating its signature, creating a false appearance of legitimacy. This alarming trend has seen a surge in malicious campaigns linked to ConnectWise, matching the total number of such reports from all of 2024 within just the first five months of this year.
You might have heard about a recent report claiming a data breach involving over 16 billion credentials. It has been met with skepticism from cybersecurity experts, who argue that there is little evidence to support such an extraordinary claim. The report, circulated by various media outlets, has been described as a mix of old data from multiple sources rather than a single, unprecedented breach. According to Rob Lee, chief of research and head of faculty at the SANS Institute, the data consists of cumulative records collected over time, and there are no verified files for researchers to examine. Chester Wisniewski, director and global field Chief Information Security Officer at Sophos, emphasized that similar claims have appeared in the past, often recycling previously stolen credentials. Cybersecurity experts warn that sensationalized reports can lead to complacency in addressing real security threats, as attention shifts away from verified incidents toward exaggerated narratives.
Per reporting in TechDirt, The Salt Typhoon hack continues to escalate, with major U.S. telecommunications companies reportedly instructing their incident response staff not to seek evidence of the intrusion. This directive comes as insiders reveal that the scale of the breach is far worse than initially reported, affecting companies like Comcast and Digital Realty, alongside AT&T and Verizon. Last year, eight major telecoms were infiltrated by Chinese hackers, who managed to spy on U.S. officials for over a year. As the situation unfolds, it remains unclear whether government agencies have a consistent understanding of the attack’s impact, with varying lists of potential victims causing confusion. Experts highlight that the deregulation of the telecom sector has removed incentives for companies to invest in security measures, leading to repeated breaches and a lack of accountability in the industry.
A recent survey by CyberSmart shows that nearly 70% of Managed Service Providers, or MSPs, have faced multiple cyber breaches in the past year. Despite this worrying figure, 76% of MSP leaders expressed confidence in their organization’s cybersecurity efforts. The survey, which collected insights from 900 MSP leaders across different countries, found that 47% experienced three or more breaches. Interestingly, while most MSPs demonstrate above-average cybersecurity knowledge, 80% recognize the need to improve their defenses. Additionally, the survey revealed that only 39% of MSPs feel well-equipped to guide customers through changing regulatory challenges in cybersecurity.
Why do we care?
This isn’t just about ConnectWise — it’s a moment of reckoning for every MSP and software vendor. Remote management tools are now weapons of choice for attackers. The standard approach to trust (code signing, EDR allowlists, vendor whitelisting) is broken, and MSPs sit at the heart of that broken model.
Attackers are exploiting a legitimate vendor-signed application to distribute malware, using tactics like Authenticode stuffing to bypass detection. That’s a fundamental trust issue. When security stacks and EDRs whitelist signed software, threat actors exploit that implicit trust by hijacking it. Questions should be asked about systemic failure in how code signing is handled and verified.
The $16 billion credentials story is a distraction — but a useful one. It reminds us how the noise of recycled breach claims can divert attention from real threats. The real concern isn’t the phantom mega-leak — it’s the ongoing, verified misuse of legitimate software in targeted campaigns. The hype cycle misleads customer conversations and can cause the dangerous belief that breaches are background noise rather than systemic, preventable risks.
The Salt Typhoon telecom breaches reinforce this — not only because of the attack’s scale, but due to the internal directives reportedly telling incident responders not to look too hard. That kind of willful ignorance, especially in critical infrastructure, sets a dangerous precedent. It also illustrates what happens when industries are allowed to underinvest in security — the costs get socialized, and the damage trickles down to every business that relies on these networks. One must ask – where is the vendor liability here? Not just reputationally, but in actual damages to customers?