Kaspersky Identifies SEO Poisoning Campaign Using ScreenConnect To Deploy AsyncRAT

Published:

Cybersecurity researchers at Kaspersky have uncovered a large scale malware campaign in which unknown threat actors are abusing the legitimate ScreenConnect remote access tool to deploy AsyncRAT on compromised Windows systems. According to the company, the operation relies on a broad network of fraudulent websites designed to imitate official software download pages, allowing attackers to distribute malicious installer packages disguised as trusted applications. The campaign has been described as a massive multi domain and multi language operation targeting users searching for popular software online. Researchers identified more than 90 malicious domains translated into 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese and Arabic. Several of the domains were registered between August 2025 and March 2026, indicating that the infrastructure has been maintained over an extended period to maximize the campaign’s reach.

Kaspersky found that the malicious installer archives impersonate widely used software such as OBS Studio, DNS Jumper, DS4Windows and Bandicam in an effort to deceive users into downloading infected packages from fake websites. The attackers promote these websites using search engine optimization techniques so they appear prominently in search results on platforms such as Google and Bing, increasing the likelihood that users will unknowingly install malware instead of legitimate software. According to Kaspersky researcher Denis Kulik, the installer packages contain a legitimate Microsoft signed install.exe binary together with a malicious install.res.1033.dll library. By abusing DLL side loading, the rogue library is loaded through the trusted executable and silently deploys the ScreenConnect service onto the victim’s computer. Once installed, ScreenConnect establishes a communication channel that allows the attackers to maintain remote access to compromised systems and issue additional instructions. Researchers noted that the campaign has affected both individual users and organizational environments, demonstrating its broad targeting strategy.

After ScreenConnect is successfully deployed, it creates and executes a PowerShell script named Fj5NmEsp9EuKrun.ps1, which performs several system modifications to weaken built in Windows security protections. The script adds Microsoft Defender exclusions, disables User Account Control prompts and generates a Visual Basic Script file called installer_method3_stream.vbs. It also creates five additional files inside the C:\Users\Public directory, including msgbox.txt, secret_bytes.txt, 1.vb, cap.ps1 and script.vbs. During the next stage of the attack, script.vbs terminates active PowerShell processes before launching cap.ps1 in a hidden window. The PowerShell script then reads encrypted data stored inside secret_bytes.txt, extracts the AsyncRAT malware module and executes it using a process hollowing technique. Once active, AsyncRAT establishes communication with the remote command and control server identified as mora1987.work.gd, enabling attackers to remotely control infected devices, steal sensitive information and monitor user activity by capturing screen content.

To ensure the malware remains active after a reboot, the attackers create a scheduled task named MasterPackager.Updater that executes script.vbs every two minutes, providing persistent access to compromised systems even if individual malware components are interrupted. Kaspersky stated that the campaign combines legitimate administrative software, trusted Microsoft binaries and multiple scripting technologies to conceal malicious activity while avoiding detection by conventional security tools. The researchers also emphasized that the attackers’ use of SEO poisoning significantly increases the effectiveness of the operation by directing users searching for legitimate software toward convincing counterfeit websites instead of official download sources. By disguising ScreenConnect as well known utilities and relying on DLL side loading, PowerShell automation, persistence mechanisms and AsyncRAT deployment, the campaign demonstrates how threat actors continue to blend legitimate software with malicious techniques to maintain remote access, steal confidential information and compromise Windows environments while reducing the likelihood of immediate detection.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem. 

Related articles

spot_img