Feeds.Feedburner
Widespread Abuse of ScreenConnect to Deploy AsyncRAT via Fake Installers
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A significant cybersecurity campaign has emerged, exploiting the legitimate remote access tool ScreenConnect to deploy AsyncRAT malware. Attackers utilized spoofed websites and typosquatted domains, masquerading as popular software like OBS Studio and Bandicam, to distribute malicious installers. Over 90 domain names in 10 languages were identified, each containing a legitimate Microsoft-signed executable bundled with a rogue DLL. The attack employs DLL sideloading to install the ScreenConnect service, which then executes PowerShell and VBScript to disable security measures and establish persistence. This campaign has affected both individual users and organizations, allowing attackers to maintain covert control over compromised systems. The operation was discovered by Kaspersky's Managed Detection and Response team, which continues to investigate the extensive command and control infrastructure behind the attacks.
Key Points: • Attackers exploit ScreenConnect to deploy AsyncRAT through fake software installers. • Over 90 spoofed domains in 10 languages were used to distribute malicious installers. • The attack chain includes DLL sideloading and process hollowing for stealthy persistence.