Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
Threats

AsyncRAT Campaign Leverages ScreenConnect to Evade Detection

Key Takeaways A widespread campaign is distributing the AsyncRAT trojan via fake software installers, exploiting DLL sideloading and the legitimate remote access tool ScreenConnect. Threat actors are...

Sarah simpson
Sarah simpson
July 2, 2026 4 Min Read
3 0

Key Takeaways

  • A widespread campaign is distributing the AsyncRAT trojan via fake software installers, exploiting DLL sideloading and the legitimate remote access tool ScreenConnect.
  • Threat actors are leveraging over 90 malicious websites, impersonating popular freeware like OBS Studio and DNS Jumper, to trick users into downloading malware.
  • The attack chain establishes persistence by installing ScreenConnect, disabling security features like Microsoft Defender exclusions and User Account Control, and injecting AsyncRAT into legitimate Windows processes.
  • The primary objective appears to be mass credential theft, providing attackers with initial access that can be monetized or used for further, more significant attacks.

Stealthy AsyncRAT Campaign Leverages ScreenConnect for Evasion

A sophisticated and widespread campaign is actively deploying the AsyncRAT remote access trojan (RAT) by disguising it within counterfeit software installers. This operation cunningly bypasses conventional security measures by exploiting DLL sideloading techniques and integrating with the legitimate remote administration software, ScreenConnect. The stealthy nature of this approach makes it particularly challenging for individuals and organizations to detect the compromise.

Table Of Content

  • Key Takeaways
  • Stealthy AsyncRAT Campaign Leverages ScreenConnect for Evasion
  • AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect
  • Infrastructure Behind the Campaign
  • What You Should Do

The campaign’s breadth became apparent after an initial anomaly was flagged, leading researchers to uncover a vast network of over 90 fraudulent websites. These sites are meticulously crafted to mimic official download portals for popular free applications such as OBS Studio, DNS Jumper, Bandicam, and DS4Windows. Users searching for these tools are inadvertently redirected to these malicious sites, where they download the trojanized installers instead of the genuine software.

Analysts at Securelist first identified this malicious pattern while investigating an incident detected by Kaspersky’s Managed Detection and Response team. A report from Kaspersky detailed that the initial alert stemmed from suspicious PowerShell and VBS scripts executed by a ScreenConnect process, which ultimately helped researchers unravel the full scope of the campaign.

The attackers exploit the inherent trust placed in remote access tools like ScreenConnect, which are often permitted within organizational security policies. This allows them to establish a foothold within victim networks and move laterally without triggering immediate alarms. Once AsyncRAT is deployed, operators gain the ability to exfiltrate credentials and maintain long-term access to both personal and corporate systems.

To maximize reach, the threat actors registered domains in ten different languages and utilized search engine optimization (SEO) tactics to push their deceptive download pages to the top of search results. This strategy ensures that victims encounter these malicious sites directly through web searches, circumventing the need for traditional phishing emails.

AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect

The infection chain initiates when a user downloads an archive file, such as “obs-studio-windows-x64.zip,” believing it to be a legitimate software installer. Within this archive, attackers bundle a genuine, Microsoft-signed executable, often renamed to resemble the intended installer, alongside a malicious library named “install.res.1033.dll.”

Upon execution, the fake installer leverages DLL sideloading, a technique that exploits legitimate software to load malicious code discreetly. This process simultaneously installs ScreenConnect in the background while the user observes the normal installation of their desired freeware, rendering the initial compromise virtually imperceptible.

Once ScreenConnect is active, it executes a PowerShell script designed to add exclusions to Microsoft Defender and disable User Account Control (UAC) prompts, effectively dismantling key security barriers. Subsequently, a VBScript file is dropped, which decodes a hidden payload using an XOR key and then loads it directly into memory.

The decoded payload is then injected into “RegAsm.exe,” a legitimate Windows process, using a technique known as process hollowing. This allows AsyncRAT to operate under the guise of a trusted system component. For persistent access, a scheduled task named “MasterPackager.Updater” is created, ensuring the malicious chain reactivates every two minutes, even after system reboots.

Infrastructure Behind the Campaign

Researchers have traced the campaign’s operational infrastructure to two distinct clusters, utilizing three primary IP addresses. One cluster initially employed lures related to gaming before shifting its tactics in January 2026 to focus on impersonating freeware download sites. The second cluster exclusively concentrated on hosting fake software portals from its inception.

Domain registration records indicate that the operation commenced around October 2025 and ceased overt activity by the end of March 2026. Despite this pause, many of the fraudulent pages remain active, showcasing a sprawling network of lookalike domains that target a wide array of everyday tools, media players, and game titles.

The overarching objective of this campaign appears to be the mass acquisition of credentials, which can then be sold on dark web marketplaces. Compromised systems serve as critical entry points for further, more significant attacks, underscoring the importance of treating any leaked credentials as an urgent warning sign of potential deeper infiltration.

What You Should Do

  • Implement strict application whitelisting policies to control which applications are permitted to execute on endpoints.
  • Block the installation of MSI packages from untrusted or unknown sources.
  • Maintain continuous monitoring for the deployment of new remote administration services and the creation of suspicious scheduled tasks.
  • Filter outbound network traffic to known malicious domains and IP addresses to disrupt command and control (C2) communications.
  • Educate users on how to verify software download sources and emphasize the importance of using official vendor websites over third-party or search engine results, which can be manipulated.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us