AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
Key Takeaways A widespread campaign is distributing the AsyncRAT trojan via fake software installers, exploiting DLL sideloading and the legitimate remote access tool ScreenConnect. Threat actors are...
Key Takeaways
- A widespread campaign is distributing the AsyncRAT trojan via fake software installers, exploiting DLL sideloading and the legitimate remote access tool ScreenConnect.
- Threat actors are leveraging over 90 malicious websites, impersonating popular freeware like OBS Studio and DNS Jumper, to trick users into downloading malware.
- The attack chain establishes persistence by installing ScreenConnect, disabling security features like Microsoft Defender exclusions and User Account Control, and injecting AsyncRAT into legitimate Windows processes.
- The primary objective appears to be mass credential theft, providing attackers with initial access that can be monetized or used for further, more significant attacks.
Stealthy AsyncRAT Campaign Leverages ScreenConnect for Evasion
A sophisticated and widespread campaign is actively deploying the AsyncRAT remote access trojan (RAT) by disguising it within counterfeit software installers. This operation cunningly bypasses conventional security measures by exploiting DLL sideloading techniques and integrating with the legitimate remote administration software, ScreenConnect. The stealthy nature of this approach makes it particularly challenging for individuals and organizations to detect the compromise.
Table Of Content
The campaign’s breadth became apparent after an initial anomaly was flagged, leading researchers to uncover a vast network of over 90 fraudulent websites. These sites are meticulously crafted to mimic official download portals for popular free applications such as OBS Studio, DNS Jumper, Bandicam, and DS4Windows. Users searching for these tools are inadvertently redirected to these malicious sites, where they download the trojanized installers instead of the genuine software.
Analysts at Securelist first identified this malicious pattern while investigating an incident detected by Kaspersky’s Managed Detection and Response team. A report from Kaspersky detailed that the initial alert stemmed from suspicious PowerShell and VBS scripts executed by a ScreenConnect process, which ultimately helped researchers unravel the full scope of the campaign.
The attackers exploit the inherent trust placed in remote access tools like ScreenConnect, which are often permitted within organizational security policies. This allows them to establish a foothold within victim networks and move laterally without triggering immediate alarms. Once AsyncRAT is deployed, operators gain the ability to exfiltrate credentials and maintain long-term access to both personal and corporate systems.
To maximize reach, the threat actors registered domains in ten different languages and utilized search engine optimization (SEO) tactics to push their deceptive download pages to the top of search results. This strategy ensures that victims encounter these malicious sites directly through web searches, circumventing the need for traditional phishing emails.
AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect
The infection chain initiates when a user downloads an archive file, such as “obs-studio-windows-x64.zip,” believing it to be a legitimate software installer. Within this archive, attackers bundle a genuine, Microsoft-signed executable, often renamed to resemble the intended installer, alongside a malicious library named “install.res.1033.dll.”
Upon execution, the fake installer leverages DLL sideloading, a technique that exploits legitimate software to load malicious code discreetly. This process simultaneously installs ScreenConnect in the background while the user observes the normal installation of their desired freeware, rendering the initial compromise virtually imperceptible.
Once ScreenConnect is active, it executes a PowerShell script designed to add exclusions to Microsoft Defender and disable User Account Control (UAC) prompts, effectively dismantling key security barriers. Subsequently, a VBScript file is dropped, which decodes a hidden payload using an XOR key and then loads it directly into memory.
The decoded payload is then injected into “RegAsm.exe,” a legitimate Windows process, using a technique known as process hollowing. This allows AsyncRAT to operate under the guise of a trusted system component. For persistent access, a scheduled task named “MasterPackager.Updater” is created, ensuring the malicious chain reactivates every two minutes, even after system reboots.
Infrastructure Behind the Campaign
Researchers have traced the campaign’s operational infrastructure to two distinct clusters, utilizing three primary IP addresses. One cluster initially employed lures related to gaming before shifting its tactics in January 2026 to focus on impersonating freeware download sites. The second cluster exclusively concentrated on hosting fake software portals from its inception.
Domain registration records indicate that the operation commenced around October 2025 and ceased overt activity by the end of March 2026. Despite this pause, many of the fraudulent pages remain active, showcasing a sprawling network of lookalike domains that target a wide array of everyday tools, media players, and game titles.
The overarching objective of this campaign appears to be the mass acquisition of credentials, which can then be sold on dark web marketplaces. Compromised systems serve as critical entry points for further, more significant attacks, underscoring the importance of treating any leaked credentials as an urgent warning sign of potential deeper infiltration.
What You Should Do
- Implement strict application whitelisting policies to control which applications are permitted to execute on endpoints.
- Block the installation of MSI packages from untrusted or unknown sources.
- Maintain continuous monitoring for the deployment of new remote administration services and the creation of suspicious scheduled tasks.
- Filter outbound network traffic to known malicious domains and IP addresses to disrupt command and control (C2) communications.
- Educate users on how to verify software download sources and emphasize the importance of using official vendor websites over third-party or search engine results, which can be manipulated.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.