Beware of Weaponized ScreenConnect App That Delivers AsyncRAT and PowerShell RAT

The emergence of a new campaign weaponizing legitimate remote monitoring and management software has alarmed security teams worldwide.

Attackers are distributing trojanized installers for ConnectWise ScreenConnect—now known as ConnectWise Control—to deliver dual payloads: the widely used AsyncRAT and a custom PowerShell-based RAT.

By leveraging trusted software footprints and open directories, adversaries bypass signature-based defenses and maintain long-term access to compromised networks.

Initial incidents surfaced in May 2025, when analysts observed anomalous ScreenConnect installers hosted on exposed file servers.

These installers contained ClickOnce loaders that, upon execution, fetched malicious components at runtime rather than embedding payloads directly.

In one instance, a compromised installer silently launched a VBS script that executed a weaponized shortcut, triggering PowerShell with execution-policy bypass to run a loader script.

Hunt.io Cyber Team researchers identified this tactic after correlating telemetry from multiple exposed hosts and correlating IOCs across open directories.

Subsequent analysis revealed a repeatable infrastructure pattern. Infected installers pivoted to repositories hosting .zip archives named logs.ldk, logs.idk, and logs.idr, which unpacked into dropper scripts (Ab.vbs or Ab.js), the PowerShell loader (Skype.ps1), a native injector DLL (libPK.dll), and a shortcut file (Microsoft.lnk).

The VBS launcher uses WScript.Shell to invoke the shortcut, which in turn runs PowerShell with hidden windows to launch Skype.ps1.

This script reconstructs an embedded payload blob, invokes the DLL’s exported Execute function for in-memory native staging, and creates a scheduled task named SystemInstallTask for persistence.

Infection Mechanism

The infection chain begins with a seemingly benign ScreenConnect client installer.

Once executed, it drops the VBS loader (Ab.vbs) into a public folder and registers a Windows shortcut. The shortcut’s target is crafted to launch PowerShell with -ExecutionPolicy Bypass -WindowStyle Hidden, calling a small script file named Skype.ps1.

Skype.ps1 contains base64-encoded payload segments that it decodes into a .NET assembly or native shellcode, depending on detected security products.

If the script detects antivirus like TotalAV or Avast, it performs in-memory assembly loading via System.Reflection.Assembly.Load; otherwise it dynamically imports libPK.dll using PowerShell’s Add-Type and calls Execute to inject payloads into legitimate host processes.

To maintain resilience, the loader also schedules recurring tasks (every 2–10 minutes) ensuring rapid re-execution if terminated.

Additionally, the use of open directories for initial staging allows attackers to rotate files and domains frequently, complicating detection.

The combination of modular scripts, scheduled tasks, and dual execution paths exemplifies a sophisticated multi-stage delivery framework that blends legitimate RMM software abuse with bespoke RAT payloads.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.