Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
AsyncRAT Exploits Remote Tools for Hidden Access

AsyncRAT Exploits Remote Tools for Hidden Access

Posted on July 2, 2026 By CWS

A stealthy operation is leveraging trusted remote access software to compromise both personal and business systems. The attackers have embedded the AsyncRAT trojan within counterfeit software installers, allowing it to evade standard security protocols. Through a combination of DLL sideloading and the legitimate tool ScreenConnect, this campaign remains largely unnoticed by its targets.

Unmasking the Deceptive Campaign

The campaign’s foundation rests on creating deceptive websites that mimic legitimate download pages for popular software like OBS Studio and Bandicam. Security analysts traced the malicious activities back to over 90 such sites, each designed to trick users into downloading harmful software. This strategy allowed the trojan to spread widely, masquerading as genuine applications.

Securelist analysts, responding to a suspicious alert from Kaspersky’s Managed Detection and Response team, uncovered the broader scope of the attack. Their investigation revealed unusual PowerShell and VBS scripts executed by a ScreenConnect process, leading to the unraveling of the entire campaign.

Techniques Employed by Attackers

The attack initiates when unsuspecting users download a seemingly legitimate installer. This file, often named similarly to real software (e.g., obs-studio-windows-x64.zip), contains a legitimate executable and a malicious DLL file. When executed, the DLL file uses sideloading to stealthily run hidden code.

Consequently, ScreenConnect is installed in the background while the fake installer proceeds as expected, leaving users unaware of the breach. Once active, ScreenConnect executes a PowerShell script to modify security settings, paving the way for further intrusions. The script also deploys a VBScript that decodes and loads additional malware into memory.

Infrastructure and Prevention

Researchers identified two main infrastructure clusters supporting this campaign, involving several IP addresses. Initially, one cluster employed gaming-themed lures, later transitioning to freeware disguises. Domain records indicate the operation began in October 2025, ceasing major activities by March 2026, although many fake sites remain operational.

The primary objective appears to be the theft of credentials, which could be sold on dark web platforms. Compromised systems serve as entry points for more extensive attacks, emphasizing the need for vigilant security measures.

To mitigate risks, security teams are advised to strictly regulate allowed applications and block installations from unfamiliar sources. Monitoring for unauthorized remote administration services and new scheduled tasks can also detect these threats early. Additionally, filtering outbound traffic to unknown domains and educating users about verifying software sources are crucial steps in fortifying defenses.

Overall, this campaign highlights the intricate methods employed by cybercriminals to exploit trusted tools for malicious purposes. By understanding these tactics, organizations can better prepare to defend against such threats.

Cyber Security News Tags:AsyncRAT, credential theft, Cybersecurity, DLL Sideloading, fake installers, Malware, remote access, ScreenConnect, security policies, threat detection

Post navigation

Previous Post: ChatGPT Vulnerability Exposes System File Access Risks
Next Post: Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow

Related Posts

VIP Keylogger Campaign Threatens Cybersecurity VIP Keylogger Campaign Threatens Cybersecurity Cyber Security News
VMware Fusion Flaw Allows Root Access Escalation VMware Fusion Flaw Allows Root Access Escalation Cyber Security News
VMware vCenter and NSX Vulnerabilities Let Attackers Enumerate Valid Usernames VMware vCenter and NSX Vulnerabilities Let Attackers Enumerate Valid Usernames Cyber Security News
New Malware Targets MacOS to Steal Cryptocurrency New Malware Targets MacOS to Steal Cryptocurrency Cyber Security News
Critical ConnectWise ScreenConnect Flaw Under Exploitation Critical ConnectWise ScreenConnect Flaw Under Exploitation Cyber Security News
New Albiriox Malware Attacking Android Users to Take Complete Control of their Device New Albiriox Malware Attacking Android Users to Take Complete Control of their Device Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Google Disrupts Massive NetNut Proxy Network
  • Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow
  • AsyncRAT Exploits Remote Tools for Hidden Access
  • ChatGPT Vulnerability Exposes System File Access Risks
  • CISA Alerts on SharePoint Security Flaw Exploitation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Google Disrupts Massive NetNut Proxy Network
  • Microsoft 365 Under Threat: Phishing Panel Exploits OAuth Flow
  • AsyncRAT Exploits Remote Tools for Hidden Access
  • ChatGPT Vulnerability Exposes System File Access Risks
  • CISA Alerts on SharePoint Security Flaw Exploitation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark