A stealthy operation is leveraging trusted remote access software to compromise both personal and business systems. The attackers have embedded the AsyncRAT trojan within counterfeit software installers, allowing it to evade standard security protocols. Through a combination of DLL sideloading and the legitimate tool ScreenConnect, this campaign remains largely unnoticed by its targets.
Unmasking the Deceptive Campaign
The campaign’s foundation rests on creating deceptive websites that mimic legitimate download pages for popular software like OBS Studio and Bandicam. Security analysts traced the malicious activities back to over 90 such sites, each designed to trick users into downloading harmful software. This strategy allowed the trojan to spread widely, masquerading as genuine applications.
Securelist analysts, responding to a suspicious alert from Kaspersky’s Managed Detection and Response team, uncovered the broader scope of the attack. Their investigation revealed unusual PowerShell and VBS scripts executed by a ScreenConnect process, leading to the unraveling of the entire campaign.
Techniques Employed by Attackers
The attack initiates when unsuspecting users download a seemingly legitimate installer. This file, often named similarly to real software (e.g., obs-studio-windows-x64.zip), contains a legitimate executable and a malicious DLL file. When executed, the DLL file uses sideloading to stealthily run hidden code.
Consequently, ScreenConnect is installed in the background while the fake installer proceeds as expected, leaving users unaware of the breach. Once active, ScreenConnect executes a PowerShell script to modify security settings, paving the way for further intrusions. The script also deploys a VBScript that decodes and loads additional malware into memory.
Infrastructure and Prevention
Researchers identified two main infrastructure clusters supporting this campaign, involving several IP addresses. Initially, one cluster employed gaming-themed lures, later transitioning to freeware disguises. Domain records indicate the operation began in October 2025, ceasing major activities by March 2026, although many fake sites remain operational.
The primary objective appears to be the theft of credentials, which could be sold on dark web platforms. Compromised systems serve as entry points for more extensive attacks, emphasizing the need for vigilant security measures.
To mitigate risks, security teams are advised to strictly regulate allowed applications and block installations from unfamiliar sources. Monitoring for unauthorized remote administration services and new scheduled tasks can also detect these threats early. Additionally, filtering outbound traffic to unknown domains and educating users about verifying software sources are crucial steps in fortifying defenses.
Overall, this campaign highlights the intricate methods employed by cybercriminals to exploit trusted tools for malicious purposes. By understanding these tactics, organizations can better prepare to defend against such threats.
