TL-2026-0104 HIGH 2026-02-22 Threat Analysis

Screensaver (.SCR) Files as Initial Access Vector — APT29, Cobalt Group, Kimsuky Documented Usage

Threadlinqs Intelligence 7 min
scr-filesinitial-accessapt29cobalt-groupgamaredonkimsukydouble-extensionphishingmasqueradingmotw-bypass

Threat ID: TL-2026-0104 | Severity: HIGH | Status: ACTIVE

Actor: Multiple (Cobalt Group, APT29, Kimsuky, Gamaredon, TA505) | Motivation: ESPIONAGE | FINANCIAL | DESTRUCTION

MITRE Techniques: 24 | Detections: 9

When did .scr files become the new .exe? Since threat actors figured out most email gateways don't flag them.

Windows Screensaver files (.SCR) are fully functional Portable Executable binaries that the operating system treats identically to .exe — they execute arbitrary code on double-click with no additional prompts under default configurations. Multiple nation-state operators and cybercrime groups have weaponized this file type since at least 2014, exploiting hidden extension defaults and email gateway filter gaps that still fail to block .scr attachments. What follows is the technique's adoption across five threat actor groups, its evolution from direct attachment delivery to ISO container bypass, and 9 production-ready detection rules for SPL, KQL, and Sigma.

F-Secure whitepaper 'The Dukes: 7 Years of Russian Cyberespionage' documenting APT29's long-running use of screensaver file lures for initial access. F-Secure whitepaper 'The Dukes: 7 Years of Russian Cyberespionage' documenting APT29's long-running use of screensaver file lures for initial access.

Executive Summary

Detection

Defenders first. Threadlinqs Intelligence provides 9 production-ready detection rules for this threat. Our analysis found that four high-confidence behavioral indicators catch this technique reliably: network activity from .scr processes, registry persistence outside System32, double-extension filenames, and anomalous child process spawning. Three queries. Four signals. Full kill chain coverage.

Splunk SPL — SCR Execution from User-Writable Directory

This SPL query hunts for .scr file execution from paths where legitimate screensavers never reside. Windows screensavers are installed to %SystemRoot%\System32 and launched by winlogon.exe. Execution from Downloads, Desktop, %TEMP%, or %APPDATA% is a direct phishing indicator.

SPLindex= sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security")
  (EventCode=1 OR EventCode=4688)
| where match(Image, "(?i)\.scr$") OR match(NewProcessName, "(?i)\.scr$")
| where NOT match(Image, "(?i)C:\\\\Windows\\\\System32")
| eval scr_path=coalesce(Image, NewProcessName)
| where match(scr_path, "(?i)(Downloads|Desktop|\\\\Temp\\\\|AppData)")
| stats count by _time, ComputerName, User, scr_path, ParentImage, CommandLine
| sort -_time
Near-zero false positives. Third-party screensaver software installed to non-standard paths is rare in enterprise environments and should be inventoried.

Splunk SPL — Double-Extension SCR Masquerading

Hunting for the exact pattern documented in MITRE T1036.007 — files using double-extension tricks to disguise executables as documents. invoice.pdf.scr is the textbook example. 
SPLindex= sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security")
  (EventCode=1 OR EventCode=11)
| eval filename=coalesce(Image, TargetFilename)
| where match(filename, "(?i)\.(pdf|doc|docx|xls|xlsx|jpg|png|txt|rtf)\.\w+\.scr$")
    OR match(filename, "(?i)\.(pdf|doc|docx|xls|xlsx|jpg|png|txt|rtf)\.scr$")
| stats count by _time, ComputerName, User, filename, EventCode
| sort -_time
Legitimate files never use double-extensions ending in .scr. Extremely low false positive rate.

Microsoft KQL — SCR Process Initiating Network Connections

Legitimate screensavers are purely graphical rendering engines — they never phone home. Any outbound traffic from a .scr process is a definitive indicator of a trojanized PE. 
KQLDeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName endswith ".scr"
| where RemoteIPType == "Public"
| where ActionType in ("ConnectionSuccess", "ConnectionRequest")
| project Timestamp, DeviceName, InitiatingProcessFileName,
    InitiatingProcessFolderPath, RemoteIP, RemotePort, RemoteUrl
| sort by Timestamp desc
Highest-confidence behavioral detection for trojanized .scr files. Zero false positives expected in environments where legitimate screensavers are standard Windows system files.

Sigma — SCR Double-Extension Execution from Phishing Paths

Combining delivery path and double-extension masquerading for maximum fidelity in this Sigma rule. 
SIGMAtitle: Screensaver SCR Execution from Downloads/Desktop with Double-Extension Filename
id: a7e3c1d4-9b2f-4e8a-b6d5-3f1c7a9e2b04
status: experimental
description: |
    Detects execution of .SCR files from common phishing delivery directories
    that use double-extension filename patterns (e.g., invoice.pdf.scr).
    Zero legitimate use case for this combination.
references:
    - https://intel.threadlinqs.com/#TL-2026-0104
    - https://attack.mitre.org/techniques/T1036/007/
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.defense_evasion
    - attack.t1036.007
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_path:
        Image|contains:
            - '\Downloads\'
            - '\Desktop\'
            - '\Temp\'
            - '\AppData\'
    selection_ext:
        Image|endswith: '.scr'
    selection_double:
        Image|contains:
            - '.pdf.scr'
            - '.doc.scr'
            - '.docx.scr'
            - '.xls.scr'
            - '.jpg.scr'
            - '.png.scr'
            - '.txt.scr'
    condition: selection_path and selection_ext and selection_double
falsepositives:
    - None known — zero false positive expected
level: critical
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

Technical Analysis

The .scr extension is a legacy artifact of Windows screensaver functionality. At the execution layer, Windows makes no distinction between .scr and .exe — both are PE binaries processed identically by the Windows loader. This creates a reliable initial access vector for three reasons. First, email gateways that block .exe often allow .scr through allowlists or oversight. The extension flies under the radar on many default executable blocklists. Second, Windows hides .scr extensions by default under the same "Hide extensions for known file types" behavior applied to .exe. Third, double-extension masquerading — report.docx.scr, photo.jpg.scr — displays only the first extension to users, making the PE binary appear as a benign document. Side note: this technique has been in the wild since at least 2014, but many email gateways still don't block it by default. MITRE ATT&CK formally codified this in T1036.007 (Double File Extension), explicitly listing .scr alongside .exe, .lnk, and .hta as dangerous extensions used in masquerading.

Attack Chain

  1. Delivery — Spearphishing email with .scr file inside a password-protected archive (ZIP/RAR/7z) or attached directly. Cobalt Group documented this pattern against financial institutions (PT Security, 2017).
  2. User Execution — Victim extracts archive and double-clicks the .scr file. Windows displays the spoofed icon (document/image) and hides the true extension. The PE binary executes with full user privileges. Double-click. Game over.
  3. Payload Staging — The .scr dropper spawns child processes: cmd.exe, powershell.exe, rundll32.exe, or mshta.exe to stage the next drop. Legitimate screensavers never spawn command interpreters.
  4. C2 Establishment — The implant phones home to external infrastructure. Legitimate screensavers are purely graphical and never make network calls — any outbound connection is a definitive compromise indicator.
  5. Persistence — Registry modification at HKCU\Control Panel\Desktop\SCRNSAVE.EXE to register malware as the active screensaver (T1546.002), ensuring re-execution on idle timeout.

The MotW Gap — From SCR to ISO

Mark of the Web (MotW) behavior is central to this technique's evolution. Files downloaded directly from the internet receive a Zone.Identifier Alternate Data Stream, triggering SmartScreen prompts on execution. However, files extracted from mounted ISO/IMG containers do not carry MotW — a gap documented by Didier Stevens in 2017 and confirmed by Mandiant's APT29 research in 2022.

This gap drove the evolution: APT29 shifted from .scr-in-ZIP delivery to .scr-in-ISO delivery using ROOTSAW/EnvyScout, enabling execution without SmartScreen prompts on Windows 10+.

Positive Technologies analysis of Cobalt Group 2017 attacks on financial institutions using malicious SCR payloads delivered via spearphishing. Positive Technologies analysis of Cobalt Group 2017 attacks on financial institutions using malicious SCR payloads delivered via spearphishing.

Threat Actor Profiles

Cobalt Group (Carbanak/FIN7) — The earliest high-confidence documented use of .scr in spearphishing. PT Security's 2017 report documents password-protected archives containing .exe and .scr executables targeting financial institutions globally. MITRE ATT&CK references this under T1566.001.

APT29 (Cozy Bear/Midnight Blizzard/The Dukes) — F-Secure's Dukes whitepaper (2015) documents PE-based phishing with icon manipulation targeting diplomatic organizations. ESET's Operation Ghost research (2019) reveals multi-stage PE delivery with custom encryption against European Ministries of Foreign Affairs from 2013-2019. By 2022, APT29 had evolved to ISO/IMG container delivery. Based on our tracking of 24 MITRE techniques mapped to this threat, the evolution from direct .scr to container-wrapped delivery shows a clear pattern of adapting to defensive improvements.

Kimsuky (Thallium/Velvet Chollima) — North Korean actor targeting South Korean government and defense sectors. AhnLab ASEC documented Kimsuky's evolution from HWP documents to LNK-based delivery via archives, using AutoIt-compiled scripts exceeding 100MB to evade sandboxing. PE executable disguise remains core to their approach.

Gamaredon (Armageddon/UAC-0010) — Russia's FSB-linked operator documented by CERT-UA using disguised executables with a rapid attack model — pulling data out within 30-50 minutes of initial compromise. Fast. Gamaredon plants up to 120 malicious infected files per week for persistence.

ESET WeLiveSecurity research on Operation Ghost — the Dukes' continued use of novel file-based initial access vectors including screensaver executables. ESET WeLiveSecurity research on Operation Ghost — the Dukes' continued use of novel file-based initial access vectors including screensaver executables.

Indicators of Compromise

Behavioral Indicators

TypeIndicatorContext
Process.scr executing from %TEMP%, Downloads, DesktopPhishing delivery — legitimate screensavers run from System32
NetworkOutbound HTTP/HTTPS/DNS from .scr processC2 communication — legitimate screensavers never make network calls
RegistrySCRNSAVE.EXE pointing to non-System32 pathPersistence via screensaver registration (T1546.002)
FileDouble-extension pattern: .pdf.scr, .docx.scrMasquerading — no legitimate use case
DLL Importwinhttp.dll, wininet.dll, ws2_32.dll in .scrNetwork-capable imports absent from legitimate screensavers
Process Tree.scr spawning cmd.exe, powershell.exe, rundll32.exePayload staging — legitimate screensavers have no child processes
File System.scr in user directory missing Zone.Identifier ADSISO/IMG container delivery bypassing Mark of the Web

File Indicators

TypeIndicatorContext
Extension.scrWindows PE executable masquerading as screensaver
Extension Pattern.pdf.scr, .docx.scr, .jpg.scrDouble-extension masquerading (T1036.007)
ArchivePassword-protected ZIP/RAR containing .scrCobalt Group delivery pattern (PT Security 2017)
ContainerISO/IMG containing .scrAPT29 MotW bypass evolution (Mandiant 2022)

Timeline

DateEvent
2014Cobalt Group (Carbanak) begins using .scr files in spearphishing against financial institutions
2015-09-17F-Secure publishes "The Dukes" whitepaper documenting APT29 PE-based phishing with icon manipulation
2017-07-18Didier Stevens documents ISO images do not carry MotW — establishing the MotW bypass gap
2019-10-17ESET publishes Operation Ghost — APT29 multi-stage PE delivery against European foreign ministries (2013-2019)
2020-06-15SOCPrime publishes Sigma rules for double-extension .scr detection
2022-04-28Mandiant documents APT29 evolution to ISO/IMG container delivery (ROOTSAW/EnvyScout)
2023-09-08CERT-UA documents Gamaredon rapid attack model — 30-50 minute exfiltration using disguised executables
2023-12-20AhnLab ASEC documents Kimsuky evolution to AutoIt-compiled PE delivery via archives
2024-04-19MITRE ATT&CK publishes T1036.007 explicitly listing .scr as dangerous double-extension
2025-01-27DFIR Report documents LockBit ransomware chain using PE masquerading for initial access
2025-08Dark Reading reports renewed .scr campaigns deploying RMM tools and GodRAT

MITRE ATT&CK Mapping

TacticTechniqueIDDescription
Initial AccessSpearphishing AttachmentT1566.001.scr files delivered via email, often in password-protected archives
Initial AccessSpearphishing LinkT1566.002Links to cloud-hosted .scr files
ExecutionUser Execution: Malicious FileT1204.002Victim double-clicks .scr believing it is a document
Defense EvasionDouble File ExtensionT1036.007invoice.pdf.scr displays as invoice.pdf
Defense EvasionMatch Legitimate NameT1036.005.scr named after legitimate applications
Defense EvasionRight-to-Left OverrideT1036.002Unicode RLO character reverses displayed filename
Defense EvasionMotW BypassT1553.005ISO/IMG container strips Zone.Identifier ADS
Defense EvasionObfuscated FilesT1027Encrypted/packed .scr payloads
PersistenceScreensaverT1546.002SCRNSAVE.EXE registry persistence
PersistenceRegistry Run KeysT1547.001Run key persistence after initial .scr execution
ExecutionPowerShellT1059.001Post-execution payload staging
ExecutionWindows Command ShellT1059.003Child process spawned by .scr dropper
Command and ControlWeb ProtocolsT1071.001HTTP/HTTPS C2 from trojanized .scr
Command and ControlIngress Tool TransferT1105Secondary payload download
CollectionData from Local SystemT1005File collection post-compromise
ExfiltrationExfiltration Over C2T1041Data theft via established C2 channel
Full MITRE ATT&CK mapping with 24 techniques: View coverage on Threadlinqs
TL-2026-0104 on Threadlinqs Intelligence — SCR file initial access technique used by APT29/The Dukes with 9/9 detection coverage. TL-2026-0104 on Threadlinqs Intelligence — SCR file initial access technique used by APT29/The Dukes with 9/9 detection coverage.

Recommendations

  1. Block .scr at email gateways — Add .scr to executable extension blocklists alongside .exe, .com, .bat, .cmd, .pif, .vbs, .js, and .hta. Our analysis of documented campaigns shows this is the single highest-impact mitigation. Block it now.
  2. Disable "Hide extensions for known file types" via Group Policy across all endpoints. This eliminates the double-extension masquerading vector entirely.
  3. Deploy AppLocker or WDAC rules blocking .scr execution from user-writable directories (%TEMP%, %APPDATA%, Downloads, Desktop). Legitimate screensavers reside only in %SystemRoot%\System32.
  4. Block ISO/IMG mounting by non-admin users via GPO to prevent the MotW bypass that enables silent .scr execution.
  5. Monitor Sysmon Event ID 1 for .scr process creation from unexpected paths, with alerting on any outbound network connections or child process spawning from .scr parents.

References

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0104.*

// related_reports