New research has exposed a search engine poisoning campaign that delivers a trojanized TestDisk installer, abuses a Microsoft-signed binary for DLL sideloading, and silently deploys the ScreenConnect remote monitoring and management (RMM) client for hands-on keyboard access.
The rogue domain copies the branding of the real open-source data recovery tool, presenting itself as “The Ultimate Open‑Source Data & Partition Recovery Solution” and offering a free download button for TestDisk 7.2/7.3.
Behind the scenes, obfuscated JavaScript running on the site dynamically generates one‑time download URLs pointing to a delivery domain such as direct-download.gleeze[.]com, helping the operators evade static URL‑based blocking.
Threat hunters observed that users searching for “TestDisk” are being lured to a look‑alike download site hosted at testdisk[.]dev, which ranks in search results alongside the legitimate CGSecurity TestDisk project.
Instead of the genuine installer, victims receive a ZIP archive containing a file named testdisk-7.3.exe, which appears to be a standard TestDisk setup.
In reality, this executable is a renamed, legitimate Microsoft Setup binary repurposed as a loader in a classic DLL sideloading scheme.
Microsoft binary sideloads malicious DLL
When the victim launches the fake TestDisk installer, the signed Microsoft binary looks for a companion DLL in its working directory and loads a malicious autorun.dll planted by the attackers.
Because the host executable is trusted and signed by Microsoft, many defenses treat its execution as benign, allowing the malicious DLL to run with fewer alerts.
The DLL then initiates the main payload chain, including the download and installation of both a legitimate copy of TestDisk and additional malware components, to reduce user suspicion while establishing persistence.
One of the payloads is an MSI that installs TestDisk alongside a trojanized ScreenConnect client configured to connect back to attacker‑controlled infrastructure.
Once deployed, the rogue ScreenConnect client automatically registers the compromised system with an external ScreenConnect server, handing attackers full remote control capabilities including file transfer, command execution, and lateral movement inside the network.
This tactic mirrors a broader trend where threat actors weaponize fully legitimate ScreenConnect installers or configurations to turn the RMM tool into a remote access trojan (RAT) without modifying its code.
Because ScreenConnect is widely used by IT and MSP teams, its presence can easily blend into normal administrative activity if organizations do not tightly inventory their approved RMM endpoints.
From this foothold, operators can push additional tools, harvest credentials, exfiltrate data, or stage ransomware and other payloads.
Mitigations
Defenders are urged to monitor for access to testdisk[.]dev, direct-download.gleeze[.]com, and related download infrastructure, as well as for traffic involving the indicator IP address 193.42.11.108 and the known malicious SHA‑256 hash 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5.
Security teams should also hunt for unsigned or unusual DLLs loaded by Microsoft‑signed binaries, particularly around file‑recovery utilities and setup programs, which may indicate sideloading abuse.
On the RMM side, organizations should maintain an explicit allow‑list of authorized ScreenConnect servers and client configurations, block unknown ScreenConnect relay domains, and alert on any new ScreenConnect installation events on endpoints that are not managed by IT.
Finally, users should be trained to navigate directly to official project sites such as the CGSecurity domain for TestDisk rather than relying solely on search results, reducing exposure to SEO‑poisoned links that now form a growing part of the initial access playbook.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
