SEO Poisoning Campaign Impersonates 25+ Apps to Deliver AsyncRAT
Key Takeaways A sophisticated SEO poisoning campaign has been active since October 2025, targeting Windows users with trojanized installers for over 25 popular applications. The campaign leverages...
Key Takeaways
- A sophisticated SEO poisoning campaign has been active since October 2025, targeting Windows users with trojanized installers for over 25 popular applications.
- The campaign leverages manipulated search results to trick users into downloading seemingly legitimate software that secretly deploys the AsyncRAT malware.
- The multi-stage infection chain uses DLL sideloading, disguised remote management tools (ScreenConnect), and process hollowing to evade detection and establish robust persistence.
- AsyncRAT, delivered as the final payload, includes advanced features like a keylogger, cryptocurrency clipper, and dynamic plugin system, posing a significant data theft risk.
SEO Poisoning Campaign Delivers Advanced AsyncRAT via Fake Software Installers
A covert SEO poisoning operation has been actively compromising Windows systems since at least October 2025, luring unsuspecting users into downloading malicious installers disguised as popular software. This extensive campaign, which remained undetected for approximately five months, was fully uncovered in March 2026, revealing a complex, multi-stage infection process designed to silently compromise machines and exfiltrate sensitive data.
Table Of Content
Deceptive Tactics and Initial Infection
The attackers employ sophisticated search engine optimization (SEO) techniques to push fake download pages to the top of search results. These deceptive sites target users searching for widely used applications such as VLC Media Player, OBS Studio, KMS Tools, and CrosshairX. To enhance credibility, the lure sites incorporate fake Schema.org aggregate ratings and hreflang tags for various languages.
When a victim clicks one of these compromised download links, they receive a ZIP archive containing both the legitimate software and a hidden malicious component. The installation process appears normal, as the genuine application launches as expected, leaving most victims unaware of the underlying compromise.
Investigation Uncovers Campaign’s Scope
The full extent of the operation was brought to light in March 2026 by analysts from NCC Group, working in conjunction with FOX-IT. Their joint investigation was initiated following an unusual surge in ScreenConnect-related alerts across client environments. What initially appeared to be isolated incidents involving a remote management tool was ultimately identified as a coordinated, long-running campaign.
The campaign’s infrastructure includes three ScreenConnect relay hosts and two payload delivery backends. At the time of analysis, over 100 malicious files linked to this infrastructure were discovered on VirusTotal, highlighting the scale of the distribution network.
AsyncRAT: A Feature-Rich Payload
The ultimate payload deployed by this campaign is AsyncRAT, an open-source remote access trojan (RAT) that first emerged in 2019. This particular build, internally dubbed “FlowProxy Monitor V3,” extends far beyond typical RAT capabilities. It integrates a keylogger, a clipboard monitor, and a cryptocurrency clipper capable of targeting 16 different digital currencies. Furthermore, it features a dynamic plugin system, enabling attackers to inject additional capabilities into memory during runtime without leaving traces on disk.
Interestingly, the AsyncRAT build also incorporates a geo-fencing mechanism. It deliberately bypasses cryptocurrency interception for victims located in the Middle East, North Africa, and Central Asia, suggesting a specific targeting strategy or operational constraint by the attackers.
Evolving Delivery Infrastructure
The campaign’s delivery infrastructure has continuously evolved to enhance its stealth and resilience. Early in the operation, payloads were hosted at static, easily predictable URLs. However, by late January 2026, the attackers had transitioned to a randomized token-based system. This new method generates a unique download link for each victim, effectively rendering URL-based blocking mechanisms ineffective.
The primary delivery backend, fileget[.]loseyourip[.]com, masquerades as a legitimate file-sharing service. In reality, its sole purpose is to distribute these malicious installers.
Multi-Stage Infection Mechanism
The infection chain is initiated the moment a victim executes the downloaded ZIP archive. This archive contains a genuine VLC installer bundled with a malicious libvlc.dll. Exploiting a technique known as DLL sideloading, Windows automatically loads the malicious DLL as a core dependency of VLC, allowing the attacker’s code to run under the trusted VLC process.
Once active, the malicious DLL silently extracts and executes a hidden MSI installer. This MSI then deploys ScreenConnect as a Windows service, cleverly disguised as “Microsoft Update Service.” Immediately following deployment, ScreenConnect establishes a connection with the attacker’s relay server.
The attackers then leverage ScreenConnect to drop a VBScript. This script writes a PowerShell loader and encoded payload files into the C:UsersPublic directory. The loader proceeds to decrypt these files using XOR operations and bit reflection. Subsequently, it compiles a .NET injector entirely in memory, which then performs process hollowing to inject AsyncRAT into RegAsm.exe—a legitimate Windows binary. This in-memory injection technique is crucial for evading disk-based security scans.
To ensure persistent access, the campaign establishes three distinct mechanisms:
- A Windows service configured for automatic startup.
- A Windows Authentication Package that loads into LSASS before any user logs in, granting deep system access.
- A scheduled task named “MasterPackager.Updater” designed to re-execute the VBScript every two minutes, ensuring the malware’s continuous presence.
What You Should Do
- Always download software directly from official vendor websites. Avoid third-party download sites or unofficial sources, even if they appear high in search results.
- Exercise extreme caution with unexpected elevation prompts during software installation, as these can indicate malicious activity.
- Security teams should monitor for unauthorized deployments of ScreenConnect, particularly if it’s disguised under suspicious service names like “Microsoft Update Service.”
- Implement monitoring for process hollowing events, especially within legitimate Windows binaries such as
RegAsm.exe. - Monitor for the presence of the mutex “confing_me_s” as a host-based indicator of compromise.
- Block confirmed lure domains, relay hosts, and AsyncRAT command-and-control (C2) addresses identified in threat intelligence reports.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.