ScreenConnect as malware via Canva abuse and DocuSign impersonation

Within the past month, Sublime’s Threat Research team has noticed an increase in the frequency of email attacks that abuse Canva to deliver ScreenConnect remote administration software. This Living Off Trusted Service (LOTS) attack can be effective because the initial infection involves two known-good data sources. Many organizations may not detect this threat until after ScreenConnect has already been installed and started connecting to a threat actor’s server.

Online design sites have become prominent for business and personal use to allow users to create custom content in quick graphical layouts. These tools often have a free plan, removing the need for an account compromise. Sublime recently disclosed attacks that leveraged Figma to launch a credential phishing attack. Along with Figma, we have also noted an increased use of Canva, a free and user-friendly service, to create pages for delivering malware.

Not only does Canva allow for authentic pages to be created that impersonate known brands, but they are also hosted directly from the Canva service for public access. This allows threats actors to quickly design and share malicious sites in email campaigns. While we have monitored many similar attacks, we will focus on a few unique indicators.

Document review attack

Many recent examples of Canva abuse have used the theme of document proposals with the often seen DocuSign brand impersonation. Notably, we have also seen many emails that are not using branding at all and are just displaying a direct link to view the content.

In our hunting, we also uncovered attacks where the threat actor didn’t even properly remove previews that show the content is hosted on Canva:

Regardless of email style, the included link will direct the victim to a page hosted on Canva. While some of these pages appeared to be well-designed and believable, many others seemed rushed and basic. Most did not impersonate any hosting service, but instead just provided a basic icon and download link.

And some pages showed bare minimum effort that was delivered by a URL to edit the content instead of view it.

Encrypted JavaScript payloads

While the links within these pages would typically redirect to phishing pages or malware, we discovered a unique feature found in a few related campaigns. The link would be to CAPTCHA pages on non-US, throwaway domains with SSL certificates from Google hosting. Each also included a unique icon on the page while asking the user to click to confirm they are a human.

Interesting code was found within the page's contents. There, we found HTML content that stored encrypted code that was decrypted on the fly with JavaScript. An example of this (with truncated data) is shown below. This code includes a hardcoded block of encrypted data and key, each stored as Base64, for on-the-fly AES decryption.

These two blocks of encrypted data each decrypted to additional JavaScript. The first block has a single purpose of preventing analysis of the code by a user. The large part of the code is to monitor and disable unique keyboard shortcuts. For example, { ctrl: true, keyCode: 85 } would be interpreted as Ctrl-U, the keyboard shortcut to view the page source code. The various key combinations were each for various HTML inspection tools.

It will then disable the right-click menu, the contextmenu, and then monitor for a JavaScript debugger. If a debugger is detected it will forward the page to the standard Google account login page.

With the anti-analysis code in place, the JavaScript will then load the second portion to focus on the actual phishing technique. This code, shown in the screenshot below with comments added for additional Base64 decodes, contains pre-populated data for an HTTP GET and POST to a hardcoded, but Base64 encoded, URL.

While there are many components of this code to be explored, we found a public analysis by independent researcher gaspbet that explained the many specific traits of this code. Ultimately, for a typical user these CAPTCHA pages would redirect to a variety of phishing pages for Google, Xfinity, and others.

ScreenConnect remote access payloads

Instead of redirecting to phishing pages, some campaigns using Canva only required a victim to download and launch an executable. For one campaign, the email that pretended to be a proposal Docusign link went to the simply designed Canva page below that contained an obvious link labeled “VIEW SECURE DOCUMENT”. This link directly downloads an executable named “Request for proposal(11).exe” from the CloudFlare R2 storage service: hxxps://pub-0561ece4ec6544baa80fd8d8d2ae1c00[.]r2[.]dev/Request for proposal(11).exe

Instead of infecting the victim with a backdoor, infostealer, or other malware, this executable is a legitimate, digitally signed installer for ScreenConnect. ScreenConnect is a widely used application used for remote screen sharing across the internet and allows for a remote user to interact with the local system to run programs and copy off data. Though “trusted” and digitally signed, the executable contains a block of configuration data that tunes it to install and communicate with a server run by the threat actor.

By design, Windows executables can determine their actual size using hardcoded values. These are also used for creating a digital signature of the executable, which certifies that content within the executable is allegedly known and safe for installation. Any data appended to the file after this signature, in what’s called the overlay section, is ignored.

ScreenConnect’s developers decided to use this overlay section to allow customized data to be appended to the file that specifies how it will be installed without impacting the file’s digital signature. This simplified legitimate usage of the installer, as well as enabled it to become malicious when given data owned by a threat actor.

The data below was detected within a ScreenConnect installer associated with one of our Canva attacks above.

The ClientLaunchParametersConstraint value holds the pertinent information for the attack, with each variable delineated by an ampersand. This structure is well detailed to allow for many styles of automated install. The table below notes values seen within this executable as well as other fields that could be encountered in the wild.

‍

Upon execution the ScreenConnect executable will quietly and automatically install itself as a Windows service. Using this stored configuration data documented above it will begin connecting out to a malicious server hosted at relay[.]shamrockkfoods[.]com on port 8041.

This domain is intended to impersonate the legitimate one used by Shamrock Foods Company, a large food distributor within the US. This domain was also just registered on April 6th 2025, days prior to the campaign. All connections to this domain were redirected to an IP address hosted by the threat actor. At the time of this posting this IP was 23.226.68.20, owned by a server hosting provider within the US. While other suspicious domains have been seen historically used by this IP address, the nature of a hosting provider is that the IPs can be used for short periods of time by malicious campaigns and then discarded.

Detection signals

Sublime's AI-powered detection engine prevents this attack. Some of the top signals for this attack are:

• Brand impersonation: While using DocuSign branding and language about document signing, the actual link directs to Canva instead of any legitimate DocuSign service.
• Mass distribution: An undisclosed recipient list and no previous sender relationship indicates this message was sent as part of a bulk attack.

ASA, Sublime’s Autonomous Security Analyst, flagged this email as malicious. Here is ASA’s analysis summary:

If you’re interested in checking out Sublime and how we detect and prevent attempts to deliver malware via email originating attacks, you can create a free account today or request a demo. If you enjoyed this deep dive, check out our post: TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign.