Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/SEO Poisoning Campaign Impersonates 25+ Apps to Deliver AsyncRAT
Threats

SEO Poisoning Campaign Impersonates 25+ Apps to Deliver AsyncRAT

Key Takeaways A sophisticated SEO poisoning campaign has been active since October 2025, targeting Windows users with trojanized installers for over 25 popular applications. The campaign leverages...

Marcus Rodriguez
Marcus Rodriguez
March 23, 2026 4 Min Read
48 0

Key Takeaways

  • A sophisticated SEO poisoning campaign has been active since October 2025, targeting Windows users with trojanized installers for over 25 popular applications.
  • The campaign leverages manipulated search results to trick users into downloading seemingly legitimate software that secretly deploys the AsyncRAT malware.
  • The multi-stage infection chain uses DLL sideloading, disguised remote management tools (ScreenConnect), and process hollowing to evade detection and establish robust persistence.
  • AsyncRAT, delivered as the final payload, includes advanced features like a keylogger, cryptocurrency clipper, and dynamic plugin system, posing a significant data theft risk.

SEO Poisoning Campaign Delivers Advanced AsyncRAT via Fake Software Installers

A covert SEO poisoning operation has been actively compromising Windows systems since at least October 2025, luring unsuspecting users into downloading malicious installers disguised as popular software. This extensive campaign, which remained undetected for approximately five months, was fully uncovered in March 2026, revealing a complex, multi-stage infection process designed to silently compromise machines and exfiltrate sensitive data.

Table Of Content

  • Key Takeaways
  • SEO Poisoning Campaign Delivers Advanced AsyncRAT via Fake Software Installers
  • Deceptive Tactics and Initial Infection
  • Investigation Uncovers Campaign’s Scope
  • AsyncRAT: A Feature-Rich Payload
  • Evolving Delivery Infrastructure
  • Multi-Stage Infection Mechanism
  • What You Should Do

Deceptive Tactics and Initial Infection

The attackers employ sophisticated search engine optimization (SEO) techniques to push fake download pages to the top of search results. These deceptive sites target users searching for widely used applications such as VLC Media Player, OBS Studio, KMS Tools, and CrosshairX. To enhance credibility, the lure sites incorporate fake Schema.org aggregate ratings and hreflang tags for various languages.

When a victim clicks one of these compromised download links, they receive a ZIP archive containing both the legitimate software and a hidden malicious component. The installation process appears normal, as the genuine application launches as expected, leaving most victims unaware of the underlying compromise.

Investigation Uncovers Campaign’s Scope

The full extent of the operation was brought to light in March 2026 by analysts from NCC Group, working in conjunction with FOX-IT. Their joint investigation was initiated following an unusual surge in ScreenConnect-related alerts across client environments. What initially appeared to be isolated incidents involving a remote management tool was ultimately identified as a coordinated, long-running campaign.

The campaign’s infrastructure includes three ScreenConnect relay hosts and two payload delivery backends. At the time of analysis, over 100 malicious files linked to this infrastructure were discovered on VirusTotal, highlighting the scale of the distribution network.

AsyncRAT: A Feature-Rich Payload

The ultimate payload deployed by this campaign is AsyncRAT, an open-source remote access trojan (RAT) that first emerged in 2019. This particular build, internally dubbed “FlowProxy Monitor V3,” extends far beyond typical RAT capabilities. It integrates a keylogger, a clipboard monitor, and a cryptocurrency clipper capable of targeting 16 different digital currencies. Furthermore, it features a dynamic plugin system, enabling attackers to inject additional capabilities into memory during runtime without leaving traces on disk.

Interestingly, the AsyncRAT build also incorporates a geo-fencing mechanism. It deliberately bypasses cryptocurrency interception for victims located in the Middle East, North Africa, and Central Asia, suggesting a specific targeting strategy or operational constraint by the attackers.

Evolving Delivery Infrastructure

The campaign’s delivery infrastructure has continuously evolved to enhance its stealth and resilience. Early in the operation, payloads were hosted at static, easily predictable URLs. However, by late January 2026, the attackers had transitioned to a randomized token-based system. This new method generates a unique download link for each victim, effectively rendering URL-based blocking mechanisms ineffective.

The primary delivery backend, fileget[.]loseyourip[.]com, masquerades as a legitimate file-sharing service. In reality, its sole purpose is to distribute these malicious installers.

Multi-Stage Infection Mechanism

The infection chain is initiated the moment a victim executes the downloaded ZIP archive. This archive contains a genuine VLC installer bundled with a malicious libvlc.dll. Exploiting a technique known as DLL sideloading, Windows automatically loads the malicious DLL as a core dependency of VLC, allowing the attacker’s code to run under the trusted VLC process.

Once active, the malicious DLL silently extracts and executes a hidden MSI installer. This MSI then deploys ScreenConnect as a Windows service, cleverly disguised as “Microsoft Update Service.” Immediately following deployment, ScreenConnect establishes a connection with the attacker’s relay server.

The attackers then leverage ScreenConnect to drop a VBScript. This script writes a PowerShell loader and encoded payload files into the C:UsersPublic directory. The loader proceeds to decrypt these files using XOR operations and bit reflection. Subsequently, it compiles a .NET injector entirely in memory, which then performs process hollowing to inject AsyncRAT into RegAsm.exe—a legitimate Windows binary. This in-memory injection technique is crucial for evading disk-based security scans.

To ensure persistent access, the campaign establishes three distinct mechanisms:

  • A Windows service configured for automatic startup.
  • A Windows Authentication Package that loads into LSASS before any user logs in, granting deep system access.
  • A scheduled task named “MasterPackager.Updater” designed to re-execute the VBScript every two minutes, ensuring the malware’s continuous presence.

What You Should Do

  • Always download software directly from official vendor websites. Avoid third-party download sites or unofficial sources, even if they appear high in search results.
  • Exercise extreme caution with unexpected elevation prompts during software installation, as these can indicate malicious activity.
  • Security teams should monitor for unauthorized deployments of ScreenConnect, particularly if it’s disguised under suspicious service names like “Microsoft Update Service.”
  • Implement monitoring for process hollowing events, especially within legitimate Windows binaries such as RegAsm.exe.
  • Monitor for the presence of the mutex “confing_me_s” as a host-based indicator of compromise.
  • Block confirmed lure domains, relay hosts, and AsyncRAT command-and-control (C2) addresses identified in threat intelligence reports.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurity

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

MioLab Stealer for macOS Gains ClickFix Delivery, Wallet Theft, and Team API Tools

Next Post

Critical QNAP QVR Pro CVE-2022-27588 Lets Remote Attackers Access Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us