Threat actors are exploiting the ScreenConnect remote access tool to deploy AsyncRAT, a malicious software, through a campaign characterized by extensive SEO manipulation. This operation has been identified as widespread, involving multiple domains and languages, thus posing a significant threat to users worldwide.
Details of the Malicious Campaign
According to Kaspersky, a cybersecurity firm, the campaign involves distributing harmful installer packages on counterfeit websites. These packages are disguised as well-known software applications such as OBS Studio, DNS Jumper, and Bandicam. The attackers have created over 90 domain names across various languages, including English, Chinese, and Spanish, with some domains being established between August 2025 and March 2026.
The attackers utilize a technique known as DLL side-loading to execute their malicious intent. Legitimate Microsoft installation binaries are paired with a rogue DLL library, enabling the deployment of the ScreenConnect service. This service is then used to maintain control over compromised systems.
Technical Execution and Impact
Once deployed, ScreenConnect executes a PowerShell script that modifies Microsoft Defender settings and disables User Account Control prompts. The script further generates a Visual Basic Script (VBScript) that orchestrates the attack by creating and executing additional scripts, which facilitate the extraction and execution of the AsyncRAT module through process hollowing.
This method grants the threat actors unauthorized access to Windows systems, allowing them to steal data and monitor user activities discreetly. The threat is further compounded by the creation of a scheduled task that ensures the malware persists by re-executing the attack scripts after system reboots.
SEO Manipulation and Distribution Strategy
The attackers have adeptly used search engine optimization techniques to elevate the visibility of fraudulent sites in search results. By mimicking official product pages, these sites appear legitimate, increasing the likelihood of user interaction and subsequent system compromise. This tactic highlights the evolving strategies of cybercriminals in leveraging SEO to enhance their reach and efficacy.
As these deceptive practices continue to evolve, it is crucial for users and organizations to exercise caution and employ robust security measures to mitigate such threats. The ongoing monitoring and updating of cybersecurity defenses are imperative to counteract these sophisticated attacks.
