Feeds.Feedburner
ScreenConnect Exploited in AsyncRAT Deployment Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Threat actors are leveraging the ScreenConnect remote access tool to deploy AsyncRAT malware in a widespread campaign. This operation involves distributing malicious installer archives disguised as popular software like OBS Studio and Bandicam, with over 90 domain names identified across 10 languages. The attack begins with a legitimate Microsoft install.exe binary bundled with a rogue DLL library, which is loaded via DLL sideloading to deploy the ScreenConnect service. Once activated, the service executes a PowerShell script that configures Microsoft Defender exclusions and disables User Account Control. The attack maintains persistence through a scheduled task, ensuring it restarts after a reboot. Victims include both individual users and organizations, highlighting the campaign's extensive reach. Kaspersky has flagged this activity and continues to investigate the threat actor's infrastructure.
Key Points: • ScreenConnect is exploited to deploy AsyncRAT malware through malicious installers. • Over 90 spoofed domain names have been identified across 10 languages in this campaign. • The attack utilizes DLL sideloading and maintains persistence via scheduled tasks.