A stealthy campaign is turning trusted remote access software into a weapon against everyday users and businesses. Attackers have hidden the AsyncRAT trojan inside fake software installers, letting it slip past basic security checks.
The campaign relies on DLL sideloading and a legitimate remote tool called ScreenConnect, making it hard for victims to notice anything is wrong.
What began as a single suspicious alert grew into a much larger picture. Investigators traced the activity to more than 90 fake websites, each built to look like a download page for popular free programs.
These sites impersonate tools such as OBS Studio, DNS Jumper, Bandicam, and DS4Windows, tricking users into downloading malware instead of real software.
Analysts at Securelist first identified the pattern while responding to an incident flagged by Kaspersky’s Managed Detection and Response team.
Kaspersky said in a report shared with Cyber Security News (CSN) that the alert centered on unusual PowerShell and VBS scripts launched by a ScreenConnect process, a detail that led researchers to unravel the campaign’s full scope.
Remote access tools like ScreenConnect are often allowed by default under workplace security policies, so attackers can move around a network without raising alarms.
Once inside, AsyncRAT lets operators steal credentials and maintain long term access to home and business systems.
The threat actor registered domains in ten languages and used search engine optimization tricks to push fake pages to the top of results, so victims find these sites without any phishing email.
AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect
The attack starts when a user downloads what looks like an ordinary installer, such as a file named obs-studio-windows-x64.zip.
Inside sits a legitimate, Microsoft signed executable renamed to look like the real installer, paired with a malicious library called install.res.1033.dll.
When the fake installer runs, it loads that rogue library through DLL sideloading, a technique that abuses trusted software to quietly run hidden code.
This silently installs ScreenConnect in the background while the genuine free program installs normally, so the victim sees nothing unusual.
.webp)
Once active, ScreenConnect creates a PowerShell script that adds exclusions to Microsoft Defender and disables User Account Control prompts, clearing the way for further attacks. It then drops a VBScript file that decodes a hidden payload using an XOR key before loading it into memory.
That decoded payload is injected into a legitimate Windows process called RegAsm.exe through process hollowing.
This lets AsyncRAT run disguised as a trusted system component, while a scheduled task named MasterPackager.Updater keeps the chain alive every two minutes, even after a reboot.
Infrastructure Behind the Campaign
Researchers mapped the campaign’s backend to two main infrastructure clusters spread across three IP addresses.
One cluster initially used gaming themed lures before pivoting in January 2026 to disguise its sites as freeware, while the other focused entirely on fake software portals from the start.
Domain records show the operation launched around October 2025 and paused activity by the end of March 2026, though many fraudulent pages remain live today.
This allowed the attacker to build a sprawling network of lookalike domains covering everyday tools, media players, and game titles.
The likely goal appears to be mass credential theft, giving attackers a foothold they can later sell on dark web marketplaces.
.webp)
Compromised systems can serve as an entry point for bigger attacks, so teams are urged to treat leaked credentials as an early warning sign.
To reduce exposure, security teams should enforce strict controls on which applications are allowed to run and block MSI package installations from unknown sources.
Continuous monitoring for new remote administration services and scheduled tasks can catch this activity before it spreads.
Filtering outbound traffic to unfamiliar domains and IP addresses adds another layer of defense against command and control communication.
Training users to verify software sources and avoid unofficial download sites also helps, since search engines cannot always be trusted here.
This single incident opened the door to a much larger, multi language campaign built around disguised freeware installers.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | mora1987[.]work[.]gd | AsyncRAT C2 domain |
| Domain | servermanagemen[.]xyz | ScreenConnect C2 domain |
| Domain | r.manage-server[.]xyz | ScreenConnect C2 domain |
| Domain | winservec[.]net | ScreenConnect C2 domain |
| Domain | manageserver[.]xyz | ScreenConnect C2 domain |
| Domain | cloudsynn[.]com | ScreenConnect C2 domain |
| Domain | pingserv[.]pro | ScreenConnect C2 domain |
| Domain | ehostservers[.]xyz | ScreenConnect C2 domain |
| Domain | serverdnsplan[.]net | ScreenConnect C2 domain |
| Domain | pingpanl[.]pro | ScreenConnect C2 domain |
| Domain | managedevice[.]xyz | ScreenConnect C2 domain |
| Domain | edgeserv[.]ru | ScreenConnect C2 domain |
| IP Address | 185.254.97[.]249 | Linked to ScreenConnect C2 infrastructure |
| IP Address | 45.145.41[.]205 | Linked to ScreenConnect C2 infrastructure |
| IP Address | 162.216.241[.]242 | Fake domain hosting infrastructure (Cluster 1) |
| IP Address | 198.23.185[.]81 | Fake domain hosting infrastructure (Cluster 1) |
| IP Address | 2.59.134[.]97 | Fake domain hosting infrastructure (Cluster 2) |
| URL | hxxps://www.studioobs[.]com/ | Typosquatted site mimicking OBS Studio |
| URL | hxxps://fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM | Download link for malicious archive |
| URL | hxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j | Download link for malicious DNS Jumper archive |
| File Name | obs-studio-windows-x64.zip | Malicious archive disguised as OBS Studio installer |
| File Name | install.res.1033.dll | Malicious sideloaded DLL library |
| File Name | Fj5NmEsp9EuKrun.ps1 | Malicious PowerShell script for defender exclusions and UAC bypass |
| File Name | installer_method3_stream.vbs | VBScript dropper creating multiple malicious files |
| File Name | script.vbs | VBScript that triggers execution chain |
| File Name | cap.ps1 | PowerShell script that decrypts and loads payload |
| File Name | secret_bytes.txt | Encrypted payload file |
| File Name | msgbox.txt | Dropped file used during infection chain |
| File Name | 1.vb | Dropped file used during infection chain |
| File Name | vcredist_x64.dll | Renamed MSI file for ScreenConnect installer |
| File Name | vcredist_x86.dll | Renamed MSI file for OBS Studio installer |
| File Hash | 87603EA025623B19954E460ADD532048 | Legitimate Microsoft signed install.exe reused for sideloading |
| Scheduled Task | MasterPackager.Updater | Persistence mechanism triggering script.vbs every two minutes |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

