Analysis updated 2026-05-18
Scan a Windows machine for signs of the ScreenConnect and SimpleHelp backdoor without making changes.
Remove a confirmed infection by killing processes, deleting services, and cleaning the registry.
Verify removal succeeded and re-check for persistence in Safe Mode startup.
| pnwcomputers/jwrapper-screenconnect-rat-remediation-toolkit | c0urag1/break-risk-intel-skill | nickalaslight/fable-sonnet-orchestrator-kit | |
|---|---|---|---|
| Stars | 1 | 1 | 1 |
| Language | PowerShell | PowerShell | PowerShell |
| Setup difficulty | moderate | easy | moderate |
| Complexity | 3/5 | 2/5 | 3/5 |
| Audience | ops devops | ops devops | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires administrator privileges on Windows, removal steps are destructive and require typing YES to confirm.
This PowerShell toolkit is an incident response tool for detecting and fully removing a specific malware infection that abuses legitimate remote access software. The infection is associated with Initial Access Brokers, attackers who break into computers and sell that access to ransomware operators, in this case those deploying Medusa ransomware. The malware works by silently installing two legitimate remote access tools, ScreenConnect and software called JWrapper running SimpleHelp, with all visible alerts and tray icons disabled. Because these are real, digitally signed programs rather than custom malware, standard antivirus tools typically do not flag them. The attacker also registers the backdoor in the Windows Safe Mode startup sequence, meaning the remote access persists even if someone boots into Safe Mode to clean the machine. The toolkit has three main files. The detection scanner, system_check.ps1, scans the machine without making any changes and produces a timestamped report covering running processes, Windows services, registry entries, file system artifacts, active network connections, and file hashes, then opens it in Notepad. The remediation script, Fix.ps1, performs cleanup in seven steps, killing processes, removing services, scrubbing registry keys, deleting files, removing firewall rules, flushing DNS cache, and re-verifying removal. The launcher, RUN_ME.bat, provides a simple menu and requires typing YES before any destructive action runs. The README warns that removing the malware does not undo data accessed during the intrusion, so passwords should be rotated after cleanup. The full README is longer than what was provided.
A PowerShell incident response toolkit for detecting and fully removing a ScreenConnect-based malware infection linked to ransomware access brokers.
Mainly PowerShell. The stack also includes PowerShell.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.