GBHackers

Hackers Abuse ScreenConnect Remote Access Tool to Deploy AsyncRAT Through Fake Installers


A wide-reaching campaign in which attackers abused the legitimate remote administration tool ScreenConnect to deploy AsyncRAT via faux software installers.

The infection chain leverages trusted binaries, DLL sideloading, reflective loading and process hollowing to achieve stealthy persistence and remote control an approach that capitalizes on the very trust enterprises place in remote management tools.

The campaign’s delivery mechanism is highly reproducible. Threat actors created dozens of typosquatted and spoofed download portals that mimic popular freeware OBS Studio, DNS Jumper, DS4Windows, Bandicam and others and localized pages into more than ten languages.

Each archive contains a legitimate Microsoft-signed install.exe alongside a malicious companion, install.res.1033.dll, and an Assets folder holding both the impersonated software and a ScreenConnect MSI repackaged with deceptive filenames (for example, vcredist_x64.dll).

Execution begins when the signed install.exe is launched and loads the rogue DLL through DLL sideloading. The DLL instructs msiexec to silently install the ScreenConnect service under innocuous names (for instance, “Microsoft Update Service”) and to point the service at attacker-controlled management servers.

Once active, ScreenConnect executes scripts PowerShell and VBScript that harden the foothold: they add Defender exclusions for entire disk roots and critical processes, disable UAC prompts by setting ConsentPromptBehaviorAdmin to 0, and drop additional payload components in C:UsersPublic.

A layered loader unpacks a blob of encrypted data (secret_bytes.txt), which cap.ps1 decodes by converting hex-tagged sequences, XORing with 0xA7, and inverting bit order to reconstruct a PE image.

Snippet of Fj5NmEsp9EuKrun.ps1 (Source : Securelist).

The Kaspersky Managed Detection and Response (MDR) team discovered the ScreenConnect remote access tool being leveraged to deploy and execute an AsyncRAT payload.

The recovered .NET assembly is reflectively loaded into the CLR; its ConsoleApp1.Module1.Run method is invoked via reflection.

ScreenConnect to deploy AsyncRAT

The loader then uses process hollowing (spawning RegAsm.exe in a suspended state, replacing its image) to host AsyncRAT thereby evading signature- or heuristic-based detection tied to the original RegAsm binary.

Search engine optimization techniques ensured many of these malicious pages surfaced at the top of organic results, driving victims to download archives such as obs-studio-windows-x64.zip.

Site used to deliver ScreenConnect (Source : Securelist).
Site used to deliver ScreenConnect (Source : Securelist).

Persistence is achieved by a scheduled task (MasterPackager.Updater) that runs every two minutes, re-triggering the loader chain and reinstating access after reboots.

Kaspersky’s pivoting analysis revealed two primary infrastructure clusters spanning multiple IPs and dozens of domains.

Archives were hosted on separate file repositories and download nodes, while ScreenConnect configurations access (system.config inside CABs) and additional artifacts exposed a broad C2 graph for both ScreenConnect and AsyncRAT components.

Fake website mimicking the official DNS Jumper resource (Source : Securelist).
Fake website mimicking the official DNS Jumper resource (Source : Securelist).

Registration timestamps indicate the operation began in October 2025 and was active through March 2026; many spoofed pages remain discoverable.

This campaign illustrates several dangerous trends: abuse of legitimate remote administration tools, weaponization of signed binaries via sideloading, and sophisticated multi-stage loaders that reconstruct and execute payloads in memory.

The attacker’s use of SEO to inflate malicious landing pages increases exposure to both home users and corporate endpoints particularly problematic where remote access tools are allowlisted.

Defensive priorities are clear: enforce application allowlisting and block MSI execution from untrusted locations; monitor for creation of new services and scheduled tasks; detect unusual use of signed system or installer binaries; filter outbound connections to unknown domains; and continuously train users to verify download sources.

IOCs

TypeIndicatorDescription
Domainmora1987[.]work[.]gdAsyncRAT C2 server domain
URLhxxps[:]//fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaMMalicious OBS Studio installer download link
URLhxxps[:]//direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7jMalicious DNS Jumper installer download link

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link