CyberSecurityNews

AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect for Stealthy Remote Access


A stealthy campaign is turning trusted remote access software into a weapon against everyday users and businesses. Attackers have hidden the AsyncRAT trojan inside fake software installers, letting it slip past basic security checks.

The campaign relies on DLL sideloading and a legitimate remote tool called ScreenConnect, making it hard for victims to notice anything is wrong.

What began as a single suspicious alert grew into a much larger picture. Investigators traced the activity to more than 90 fake websites, each built to look like a download page for popular free programs.

These sites impersonate tools such as OBS Studio, DNS Jumper, Bandicam, and DS4Windows, tricking users into downloading malware instead of real software.

Analysts at Securelist first identified the pattern while responding to an incident flagged by Kaspersky’s Managed Detection and Response team.

ScreenConnect service execution event with suspicious parameters (Source – Securelist)

Kaspersky said in a report shared with Cyber Security News (CSN) that the alert centered on unusual PowerShell and VBS scripts launched by a ScreenConnect process, a detail that led researchers to unravel the campaign’s full scope.

Remote access tools like ScreenConnect are often allowed by default under workplace security policies, so attackers can move around a network without raising alarms.

Once inside, AsyncRAT lets operators steal credentials and maintain long term access to home and business systems.

The threat actor registered domains in ten languages and used search engine optimization tricks to push fake pages to the top of results, so victims find these sites without any phishing email.

AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect

The attack starts when a user downloads what looks like an ordinary installer, such as a file named obs-studio-windows-x64.zip.

Inside sits a legitimate, Microsoft signed executable renamed to look like the real installer, paired with a malicious library called install.res.1033.dll.

When the fake installer runs, it loads that rogue library through DLL sideloading, a technique that abuses trusted software to quietly run hidden code.

This silently installs ScreenConnect in the background while the genuine free program installs normally, so the victim sees nothing unusual.

Malicious PowerShell script creation (Source - Securelist)
Malicious PowerShell script creation (Source – Securelist)

Once active, ScreenConnect creates a PowerShell script that adds exclusions to Microsoft Defender and disables User Account Control prompts, clearing the way for further attacks. It then drops a VBScript file that decodes a hidden payload using an XOR key before loading it into memory.

That decoded payload is injected into a legitimate Windows process called RegAsm.exe through process hollowing.

This lets AsyncRAT run disguised as a trusted system component, while a scheduled task named MasterPackager.Updater keeps the chain alive every two minutes, even after a reboot.

Infrastructure Behind the Campaign

Researchers mapped the campaign’s backend to two main infrastructure clusters spread across three IP addresses.

One cluster initially used gaming themed lures before pivoting in January 2026 to disguise its sites as freeware, while the other focused entirely on fake software portals from the start.

Domain records show the operation launched around October 2025 and paused activity by the end of March 2026, though many fraudulent pages remain live today.

This allowed the attacker to build a sprawling network of lookalike domains covering everyday tools, media players, and game titles.

The likely goal appears to be mass credential theft, giving attackers a foothold they can later sell on dark web marketplaces.

AsyncRAT infection and persistence chain via ScreenConnect (Source - Securelist)
AsyncRAT infection and persistence chain via ScreenConnect (Source – Securelist)

Compromised systems can serve as an entry point for bigger attacks, so teams are urged to treat leaked credentials as an early warning sign.

To reduce exposure, security teams should enforce strict controls on which applications are allowed to run and block MSI package installations from unknown sources.

Continuous monitoring for new remote administration services and scheduled tasks can catch this activity before it spreads.

Filtering outbound traffic to unfamiliar domains and IP addresses adds another layer of defense against command and control communication.

Training users to verify software sources and avoid unofficial download sites also helps, since search engines cannot always be trusted here.

This single incident opened the door to a much larger, multi language campaign built around disguised freeware installers.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
Domainmora1987[.]work[.]gdAsyncRAT C2 domain 
Domainservermanagemen[.]xyzScreenConnect C2 domain 
Domainr.manage-server[.]xyzScreenConnect C2 domain 
Domainwinservec[.]netScreenConnect C2 domain 
Domainmanageserver[.]xyzScreenConnect C2 domain 
Domaincloudsynn[.]comScreenConnect C2 domain 
Domainpingserv[.]proScreenConnect C2 domain 
Domainehostservers[.]xyzScreenConnect C2 domain 
Domainserverdnsplan[.]netScreenConnect C2 domain 
Domainpingpanl[.]proScreenConnect C2 domain 
Domainmanagedevice[.]xyzScreenConnect C2 domain 
Domainedgeserv[.]ruScreenConnect C2 domain 
IP Address185.254.97[.]249Linked to ScreenConnect C2 infrastructure 
IP Address45.145.41[.]205Linked to ScreenConnect C2 infrastructure 
IP Address162.216.241[.]242Fake domain hosting infrastructure (Cluster 1) 
IP Address198.23.185[.]81Fake domain hosting infrastructure (Cluster 1) 
IP Address2.59.134[.]97Fake domain hosting infrastructure (Cluster 2) 
URLhxxps://www.studioobs[.]com/Typosquatted site mimicking OBS Studio 
URLhxxps://fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaMDownload link for malicious archive 
URLhxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7jDownload link for malicious DNS Jumper archive 
File Nameobs-studio-windows-x64.zipMalicious archive disguised as OBS Studio installer 
File Nameinstall.res.1033.dllMalicious sideloaded DLL library 
File NameFj5NmEsp9EuKrun.ps1Malicious PowerShell script for defender exclusions and UAC bypass 
File Nameinstaller_method3_stream.vbsVBScript dropper creating multiple malicious files 
File Namescript.vbsVBScript that triggers execution chain 
File Namecap.ps1PowerShell script that decrypts and loads payload 
File Namesecret_bytes.txtEncrypted payload file 
File Namemsgbox.txtDropped file used during infection chain 
File Name1.vbDropped file used during infection chain 
File Namevcredist_x64.dllRenamed MSI file for ScreenConnect installer 
File Namevcredist_x86.dllRenamed MSI file for OBS Studio installer 
File Hash87603EA025623B19954E460ADD532048Legitimate Microsoft signed install.exe reused for sideloading 
Scheduled TaskMasterPackager.UpdaterPersistence mechanism triggering script.vbs every two minutes 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link