Cyber security, Healthcare IT, IT Outsourcing, IT security

Syncro Installed on My Computer? ScreenConnect & ConnectWise Control Remote Access Malware Explained

Osmicro
March 15, 2026
Cyber security, Healthcare IT, IT Outsourcing, IT security
antivirus bypass attack, business email compromise attack, compromised email security incident, connectwise control installed without permission, connectwise control malware, crowdstrike threat detection, cyber security incident response, dental practice cyber security, endpoint detection and response, malicious rmm software, microsoft 365 phishing attack, phishing email malware attack, remote access tool attack, remote management software abuse, screenconnect remote access malware, syncro installed on my computer, syncro rmm security risk

How ScreenConnect and ConnectWise Control Are Being Used in Remote Access Attacks

A few days ago we dealt with a very interesting and very real attack that is worth sharing, especially for dental practices and other small businesses. Several of our customers received an email from a known specialist periodontist that many of them regularly refer patients to. The email included a link to view a report. On the surface it looked believable enough that normal staff, especially reception or admin staff, could easily trust it and click it. The problem was that the specialist’s email account had been compromised. The attacker was sending malicious links from a real, trusted mailbox. That is what made this attack dangerous, and why fast investigation, often with support from experienced cyber security services, matters.

What happened after users clicked the link

When the link was clicked, the user was told a file would be downloaded, usually presented as something like a report viewer or similar document-related tool. In reality, the file was a disguised executable. Once that executable was run, it installed:

Syncro RMM
ScreenConnect / ConnectWise Control

These are legitimate remote management and support tools commonly used by IT providers. However, in this case they were being used by a threat actor to gain remote access to the computer. Once installed, the attacker effectively had:

Remote access to the machine
The ability to run commands
The ability to move around the system quietly
The opportunity to extract data
The ability to deploy additional malware or ransomware

Syncro installed on my computer – why that can be a serious red flag

If you suddenly notice Syncro installed on your computer and you did not install it yourself or your IT provider did not clearly tell you they were deploying it, you should treat that as suspicious immediately. Syncro itself is not malware. It is a legitimate RMM platform. The problem is that legitimate software can still be used in a malicious way. That is exactly what happened here. The attacker used a compromised email account, tricked users into running a file, and then used Syncro as a way to get management access onto the machine.

ScreenConnect remote access malware – how this type of attack works

Another part of this attack was ScreenConnect, also known as ConnectWise Control. Again, this is legitimate software. Many IT companies use it every day for remote support. But if it appears unexpectedly, it can absolutely be part of a compromise. In this case, once Syncro was deployed, it then pushed ScreenConnect onto the machine. That gave the attacker practical remote access in the background. This is why people often search for things like ScreenConnect remote access malware. They notice it running, or they see it installed, and they know something is off. They are usually right to be concerned.

ConnectWise Control installed without permission – what it usually means

If ConnectWise Control is installed without permission, there are really only a few possibilities:

Your IT provider deployed it and did not communicate it properly
Another legitimate support tool pushed it as part of a software package
A threat actor installed it to gain remote access

If you are unsure which one it is, do not ignore it. Unexpected remote access software should always be investigated properly. It should never just be assumed to be safe.

Why traditional antivirus often misses this

This is where the attack gets even more interesting. Because both Syncro and ScreenConnect are legitimate applications, many traditional antivirus products do not flag them at all. From a signature perspective, they are not inherently malicious files. That means the software can sit quietly in the system and provide the attacker with a working foothold without getting blocked. We found that standard antivirus was not enough for this style of attack. However, CrowdStrike Falcon detected it immediately because it looks at behaviour, not just whether a file is technically known malware. The deployment pattern, execution chain, and remote access behaviour are what triggered the detection.

How we handled it for customers with CrowdStrike

For customers using CrowdStrike, the response was much cleaner. CrowdStrike detected the suspicious behaviour, contained the machine, and allowed us to manually investigate and remove the unwanted software safely. That is one of the major differences between traditional antivirus and proper EDR. EDR sees what the software is doing, not just what the file is called.

How we handled it for customers without EDR

Not every customer has an advanced EDR platform in place, so we also needed a practical response for those environments. For customers without CrowdStrike or similar protection, we used our Ninja RMM platform to monitor for unexpected installation of known remote access tools and RMM products. That includes things like:

Syncro
ScreenConnect / ConnectWise Control
Other remote access tools that should not appear unexpectedly

If Ninja detects one of those products being installed unexpectedly, it can automatically trigger a removal script and strip the software out straight away. That gives us a way to respond quickly even when the customer does not yet have the right EDR stack in place.

How to detect this type of compromise

If you suspect something similar has happened, check for the following:

Syncro installed unexpectedly
ScreenConnect or ConnectWise Control installed unexpectedly
Unknown remote access services running in the background
Unexpected remote support agents in Programs and Features
Staff reporting that they opened a suspicious report link or downloaded a fake viewer

If any of those line up, take it seriously.

What to do if Syncro or ScreenConnect appears unexpectedly

Disconnect the computer from the network immediately.
Check installed applications for Syncro, ScreenConnect, ConnectWise Control, or other unexpected remote access tools.
Check services and startup items for related components.
Contain the machine if your EDR supports isolation.
Remove the software properly and confirm all related services are gone.
Reset credentials for the affected user if they clicked a malicious link or downloaded a payload.
Review logs and surrounding activity to determine whether the attacker moved further into the environment.

What to look out for in phishing emails like this

This case is also a good reminder that the most dangerous phishing emails are not always the obviously bad ones. Sometimes they come from:

A real mailbox
A known supplier or specialist
A contact your staff already trust
A believable context, like a report, referral, or attachment

That is exactly why this one worked. To dental staff, especially busy reception staff, it looked like a normal message from a known practice. That is what made it effective.

The real takeaway

This attack is a good example of where cyber threats are heading. Attackers are not always relying on obvious malware anymore. More and more, they are using legitimate administrative and remote access tools as part of the attack chain. That makes detection much harder for basic antivirus. If people are searching things like:

Syncro installed on my computer
ScreenConnect remote access malware
ConnectWise Control installed without permission

there is a good chance they are not imagining the risk. Those are exactly the sorts of signs that should trigger immediate investigation.

Final advice

If a machine suddenly has remote management or remote access tools installed and nobody can clearly explain why, do not leave it sitting there. Investigate it properly, isolate it if needed, and remove it quickly. The longer the attacker keeps that access, the more damage they can do. For businesses that do not yet have EDR in place, at the very least make sure you are monitoring aggressively for unexpected remote access software, because standard antivirus alone is not enough for attacks like this.

Related service: If you need help responding to suspicious remote access activity or strengthening protection, review our cyber security services.