SEO Poisoning Campaign Impersonates 25+ Popular Apps to Deliver AsyncRAT Since October 2025.An ongoing SEO poisoning campaign abuses search results to trick users into downloading trojanized installers for more than 25 popular applications, ultimately deploying the AsyncRAT remote access trojan.
Active since at least October 2025, the operation uses a mix of fake download portals, weaponized installers, and tokenized delivery URLs to stay ahead of URL-based blocking and traditional web filtering.
Deeper analysis revealed a single, multi-stage campaign that had been operating silently for at least five months and targeting users searching for legitimate free software.
The threat actor behind the operation remains unidentified but has demonstrated clear operational maturity, regularly refining infrastructure and delivery techniques over time.
Investigators from FOX-IT and NCC Group uncovered the activity in March 2026 after a spike in ScreenConnect-related alerts across multiple client environments, which initially appeared unrelated.
The adversary relies on SEO poisoning to ensure their lure sites rank prominently when victims search for popular tools such as VLC Media Player, OBS Studio, KMS Tools, CrosshairX, LibreOffice, and several utilities and games.
These sites mimic genuine software portals and typically bundle a legitimate installer with malicious components, lowering user suspicion when the download appears to work as expected.
From search result to AsyncRAT
The attack chain begins when a user searches for a well-known application, for example, “VLC download,” and clicks a poisoned result leading to a domain such as vlc-media[.]com instead of the official vendor site.
![vlc-media[.]com home page (Source : NCC).](https://gbhackers.com/wp-content/uploads/2026/03/Screenshot-2026-03-23-180000.png)
Pressing the download button silently retrieves a ZIP archive from a backend host like fileget[.]loseyourip[.]com, which contains the real installer plus additional DLLs and plugins, including a malicious libvlc.dll.
When the user launches the bundled executable, Windows sideloads the rogue DLL, which then extracts and runs a hidden MSI installer while still starting VLC normally to avoid raising alarms.
The MSI deploys ScreenConnect, a legitimate remote management product, but preconfigured for unattended access by the attacker and disguised in system metadata as a Microsoft Visual C++ redistributable to blend into installed programs.
Using this ScreenConnect foothold, the operator pushes VBScript and PowerShell tooling to drop and inject an AsyncRAT payload into a legitimate Windows process, establishing persistent remote access.
The AsyncRAT build used in this campaign is not stock: it includes a cryptocurrency clipper, a dynamic plugin framework for loading new capabilities at runtime, and geo-fencing logic that avoids victims in the Middle East, North Africa, and Central Asia.
Multiple AsyncRAT command-and-control endpoints, including hone32[.]work[.]gd, mora1987[.]work[.]gd, and a long list of IP-based servers, were linked to the infrastructure.
Analysis of the lure domains showed extensive SEO tuning, including hreflang tags for multiple locales, fake Schema.org ratings to make results appear more trustworthy in search snippets, and distinct analytics and verification IDs to compartmentalize infrastructure.
Sites like studio-obs[.]net and kms-tools[.]com also carried Bing and Yandex verification tokens and Chinese-language keywords to attract Mandarin-speaking users by name.
A shared custom JavaScript component, download-link.js, orchestrates payload delivery by loading a configuration file (link-downloads.txt) that defines a base delivery URL and a random token length.
Instead of hardcoding the payload URL into the page’s HTML, each lure loads a plaintext
configuration file called link-downloads.txt when a download is initiated from the site.
![Download-link.js and link-downloads.txt on kms-tools[.]net (Source : NCC).](https://gbhackers.com/wp-content/uploads/2026/03/Screenshot-2026-03-23-183556-1024x342.png)
When a victim clicks download, the script generates a unique alphanumeric token, appends it to the base URL on fileget[.]loseyourip[.]com, and redirects the browser, ensuring that every payload link is unique and difficult to block individually.
Earlier infrastructure relied on static /uploads/filename.zip paths hosted on similar-sounding domains, but by late January 2026 the operator had fully shifted to token-based delivery, significantly complicating URL-level detection.
Mitigations
Defenders should treat unexpected ScreenConnect installations and new custom URL handlers, such as sc-0af00d55fb53c6e6://, as potential early indicators of compromise.
Given the campaign’s ongoing nature and the flexible AsyncRAT plugin system, any confirmed infection should trigger a full incident response cycle, including credential reset, host reimaging where appropriate, and close review of crypto transactions and browser activity on affected systems.
![Download-link.js on studio-obs[.]net (Source : NCC).](https://gbhackers.com/wp-content/uploads/2026/03/Screenshot-2026-03-23-183319.png)
Network monitoring should alert on access to known lure domains (for example vlc-media[.]com, studio-obs[.]net, kms-tools[.]com, crosshairx[.]pro) and the delivery backend fileget[.]loseyourip[.]com, along with the identified AsyncRAT C2 hosts.
On endpoints, suspicious DLL sideloading from application directories and unsigned MSI execution via msiexec in user temp paths warrant immediate investigation.
Because the initial lure abuses user trust in search results more than any software vulnerability, user education remains essential: instruct users to verify download domains against official vendor URLs and to treat unexpected elevation prompts during “routine” software installs with caution.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
