Widespread Abuse of ScreenConnect to Deploy AsyncRAT via Fake Installers

Widespread Abuse of ScreenConnect to Deploy AsyncRAT via Fake Installers

First seen 2 Jul 2026, 00:48 UTC Securelistattack.mitre.orgwww.kaspersky.comFeeds.FeedburnerGbhackers+1 86% similarity 71.0
Share:

Article Content

Browse articles
ThreatCluster

A significant cybersecurity campaign has emerged, exploiting the legitimate remote access tool ScreenConnect to deploy AsyncRAT malware. Attackers utilized spoofed websites and typosquatted domains, masquerading as popular software like OBS Studio and Bandicam, to distribute malicious installers. Over 90 domain names in 10 languages were identified, each containing a legitimate Microsoft-signed executable bundled with a rogue DLL. The attack employs DLL sideloading to install the ScreenConnect service, which then executes PowerShell and VBScript to disable security measures and establish persistence. This campaign has affected both individual users and organizations, allowing attackers to maintain covert control over compromised systems. The operation was discovered by Kaspersky's Managed Detection and Response team, which continues to investigate the extensive command and control infrastructure behind the attacks.

Key Points: • Attackers exploit ScreenConnect to deploy AsyncRAT through fake software installers. • Over 90 spoofed domains in 10 languages were used to distribute malicious installers. • The attack chain includes DLL sideloading and process hollowing for stealthy persistence.

ThreatCluster AI

Timeline

2026-07-01
Kaspersky discovers ScreenConnect abuse
Kaspersky's MDR team identified the use of ScreenConnect to deploy AsyncRAT through fake installers, triggering an investigation into the threat actor's infrastructure.
Securelist
2026-07-01
Malicious installers identified
Attackers were found distributing malicious installers disguised as popular software, leveraging DLL sideloading and reflective loading techniques.
Gbhackers
2026-07-01
Campaign details published
Kaspersky published findings detailing the extensive campaign, highlighting the use of typosquatted domains and the execution of malicious scripts.
Kaspersky
2026-07-01
SEO tactics revealed
Threat actors employed SEO techniques to ensure their fraudulent websites appeared at the top of search results, increasing victim downloads.
Feeds.Feedburner

Community

Browse all →