Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
SEO-Poisoned Sites Exploit ScreenConnect for Malware

SEO-Poisoned Sites Exploit ScreenConnect for Malware

Posted on July 1, 2026 By CWS

Threat actors are exploiting the ScreenConnect remote access tool to deploy AsyncRAT, a malicious software, through a campaign characterized by extensive SEO manipulation. This operation has been identified as widespread, involving multiple domains and languages, thus posing a significant threat to users worldwide.

Details of the Malicious Campaign

According to Kaspersky, a cybersecurity firm, the campaign involves distributing harmful installer packages on counterfeit websites. These packages are disguised as well-known software applications such as OBS Studio, DNS Jumper, and Bandicam. The attackers have created over 90 domain names across various languages, including English, Chinese, and Spanish, with some domains being established between August 2025 and March 2026.

The attackers utilize a technique known as DLL side-loading to execute their malicious intent. Legitimate Microsoft installation binaries are paired with a rogue DLL library, enabling the deployment of the ScreenConnect service. This service is then used to maintain control over compromised systems.

Technical Execution and Impact

Once deployed, ScreenConnect executes a PowerShell script that modifies Microsoft Defender settings and disables User Account Control prompts. The script further generates a Visual Basic Script (VBScript) that orchestrates the attack by creating and executing additional scripts, which facilitate the extraction and execution of the AsyncRAT module through process hollowing.

This method grants the threat actors unauthorized access to Windows systems, allowing them to steal data and monitor user activities discreetly. The threat is further compounded by the creation of a scheduled task that ensures the malware persists by re-executing the attack scripts after system reboots.

SEO Manipulation and Distribution Strategy

The attackers have adeptly used search engine optimization techniques to elevate the visibility of fraudulent sites in search results. By mimicking official product pages, these sites appear legitimate, increasing the likelihood of user interaction and subsequent system compromise. This tactic highlights the evolving strategies of cybercriminals in leveraging SEO to enhance their reach and efficacy.

As these deceptive practices continue to evolve, it is crucial for users and organizations to exercise caution and employ robust security measures to mitigate such threats. The ongoing monitoring and updating of cybersecurity defenses are imperative to counteract these sophisticated attacks.

The Hacker News Tags:AsyncRAT, cyber threats, Cybersecurity, DLL side-loading, Kaspersky, Malware, persistence mechanisms, PowerShell, process hollowing, remote access tool, ScreenConnect, search engine optimization, SEO poisoning, Threat Actors, Visual Basic Script

Post navigation

Previous Post: Enhancing Cybersecurity Intelligence with OpenCTI
Next Post: Microsoft Enhances Teams Security to Block Unauthorized AI Bots

Related Posts

GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools The Hacker News
New Cyber Threat OP-512 Hits Microsoft IIS Servers New Cyber Threat OP-512 Hits Microsoft IIS Servers The Hacker News
Why Runtime Visibility Must Take Center Stage Why Runtime Visibility Must Take Center Stage The Hacker News
Over 900 FreePBX Systems Infected in Web Shell Attacks Over 900 FreePBX Systems Infected in Web Shell Attacks The Hacker News
New Investment Scams Use Facebook Ads, RDGA Domains, and IP Checks to Filter Victims New Investment Scams Use Facebook Ads, RDGA Domains, and IP Checks to Filter Victims The Hacker News
North Korean Hackers Target Axios, Chrome Exploits, Fortinet Breaches North Korean Hackers Target Axios, Chrome Exploits, Fortinet Breaches The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover
  • Microsoft 365 Under Attack: 81 Million Login Attempts Recorded
  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots
  • SEO-Poisoned Sites Exploit ScreenConnect for Malware
  • Enhancing Cybersecurity Intelligence with OpenCTI

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Vulnerability in Argo CD Allows Kubernetes Cluster Takeover
  • Microsoft 365 Under Attack: 81 Million Login Attempts Recorded
  • Microsoft Enhances Teams Security to Block Unauthorized AI Bots
  • SEO-Poisoned Sites Exploit ScreenConnect for Malware
  • Enhancing Cybersecurity Intelligence with OpenCTI

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark