Fake Software Downloads Used to Spread ScreenConnect and AsyncRAT
Security researchers have identified a broad malware campaign in which threat actors are using search engine optimization (SEO) techniques and counterfeit software websites to distribute ScreenConnect...
Security researchers have identified a broad malware campaign in which threat actors are using search engine optimization (SEO) techniques and counterfeit software websites to distribute ScreenConnect and ultimately install AsyncRAT on Windows systems.
According to Kaspersky, the operation spans multiple domains and languages, with more than 90 malicious websites identified across at least 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Some of the domains were registered between August 2025 and March 2026.
How the infection chain works
The fake sites impersonate popular tools such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Victims who download the installer archives receive a package that includes a legitimate, signed Microsoft binary named install.exe along with a malicious DLL, install.res.1033.dll. By taking advantage of DLL side-loading, the attackers load the rogue library and use it to deploy the ScreenConnect remote access service.
Once ScreenConnect is active, it runs a PowerShell script that adds Microsoft Defender exclusions, turns off User Account Control prompts, and drops additional files needed for the attack. A VBScript component then creates several files in C:\Users\Public, including msgbox.txt, secret_bytes.txt, 1.vb, cap.ps1, and script.vbs.
Next, the malware ends existing PowerShell processes and launches cap.ps1 in a hidden window. That script extracts the AsyncRAT payload from secret_bytes.txt and uses process hollowing to run it.
Impact and persistence
After deployment, the malware connects to a command-and-control server at mora1987.work[.]gd, giving operators covert access to compromised devices. Kaspersky said the intruders can use that access to monitor activity, capture screen content, and steal sensitive information.
To stay resident on infected machines, the attack creates a scheduled task called MasterPackager.Updater that runs every two minutes and relaunches the VBScript component, helping the malware survive reboots.
- Fake software download pages are being pushed higher in search results.
- The campaign uses signed binaries and DLL side-loading to evade suspicion.
- ScreenConnect is used as an initial foothold before AsyncRAT is executed.
Kaspersky said the campaign highlights how SEO manipulation and trusted remote access tools can be combined to make malicious downloads appear legitimate.
