A deceptive SEO campaign has been exploiting Windows users by distributing compromised installers for over 25 popular applications since October 2025. The malicious operation, which went unnoticed for several months, aims to deploy AsyncRAT, a sophisticated remote access trojan, on victims’ machines.
Uncovering the Malicious Campaign
Investigators unveiled the full extent of the campaign in March 2026. This cyber threat uses a multi-layered infection strategy to infiltrate systems and extract sensitive information. The perpetrators manipulate search engine results to display fake download pages for well-known software, including VLC Media Player and OBS Studio.
Users are misled into downloading ZIP files containing both the legitimate software and a hidden malicious component. The genuine application runs as expected, masking any immediate signs of compromise. To enhance credibility, these deceptive sites employ fake Schema.org ratings and hreflang tags.
Technical Details of the Malware
The operation was identified through increased alerts related to ScreenConnect, revealing a well-orchestrated scheme operating undetected for months. The infrastructure supporting this threat includes three ScreenConnect relay hosts and two payload delivery systems, with over 100 malicious files identified on VirusTotal.
The primary payload, AsyncRAT, extends beyond typical remote access trojan capabilities. It includes features such as keylogging, clipboard monitoring, and a cryptocurrency clipper affecting 16 currencies. Notably, the malware incorporates geo-fencing to avoid targeting specific regions such as the Middle East and Central Asia.
Evolving Delivery Tactics
The campaign’s delivery methods have evolved over time. Initially, payloads were accessible via static URLs. By January 2026, the attackers adopted a token-based system generating unique download links, thwarting traditional URL blocking measures. The main backend, disguised as a file-sharing site, facilitates the distribution of malicious installers.
The infection process commences when a victim opens the downloaded file, which executes a malicious DLL via a technique known as DLL sideloading. This process initiates a chain reaction, deploying ScreenConnect as a Windows service under the guise of a legitimate update, and subsequently introducing AsyncRAT into the system.
Protective Measures and Recommendations
Users are advised to download software exclusively from official sources and remain cautious of unexpected installation prompts. Security professionals should monitor for unauthorized ScreenConnect installations and suspicious activities involving RegAsm.exe. Blocking known malicious domains and AsyncRAT command and control addresses is crucial.
To stay informed on cybersecurity developments, follow our updates on Google News, LinkedIn, and X. Prioritize security by setting us as a preferred source on Google for timely alerts.
