ATTACKERS are using Windows screensaver files (.scr) to drop malware and an RMM tool, enabling interactive remote access and footholds inside targeted networks, according to ReliaQuest Threat Research. The initial access appears to be a business-themed phishing lure directing users to download an .scr file hosted on a cloud storage platform, after which the file installs an otherwise legitimate RMM tool named JWrapper that the attacker can connect to for persistence.
In Windows, .scr files are portable executable programs that can run arbitrary code, a factor that helps them bypass some security controls when not properly restricted. The campaign has been observed across multiple customers, and ReliaQuest notes there is currently no attribution for the threat actor behind the activity, which they describe as opportunistic rather than part of a defined cluster.
The researchers also warn that, previously, attackers used screensaver files to deploy the remote access Trojan GodRAT against financial institutions in August 2025, underscoring the technique’s recurrence and evolving risk.