NOW LET US – AI RAG SaaS Studio TP.HCM
NOW LET US
Digital Product Studio
Back to news
CYBERSECURITY...1 min read

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Share
NOW LET US Article – SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Threat actors are leveraging SEO poisoning and spoofed software websites to distribute the ScreenConnect remote access tool, which is then abused to deploy the AsyncRAT malware on compromised Windows systems.

Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT.

Kaspersky said the activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites.

These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others. The Russian cybersecurity company said it identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Some of these domains were set up between August 2025 and March 2026.

"The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library," security researcher Denis Kulik said. "It is loaded onto the device via DLL side-loading and deploys the ScreenConnect service, which awaits further instructions from the threat actors."

"This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations."

Once ScreenConnect is up and running, the service creates and executes a PowerShell script ("Fj5NmEsp9EuKrun.ps1"), which configures Microsoft Defender exclusions, disables User Account Control (UAC) prompts, and then creates a Visual Basic Script (VBScript) file called "installer_method3_stream.vbs."

The script, for its part, creates a set of five files in the "C:\Users\Public directory" -

  • msgbox.txt
  • secret_bytes.txt
  • 1.vb
  • cap.ps1
  • script.vbs

In the next stage, it triggers the execution of "script.vbs," a script that's responsible for terminating all active PowerShell processes and running "cap.ps1" in a hidden window. The primary goal of the PowerShell script is to read the contents of the "secret_bytes.txt" file, extract from it the AsyncRAT module, and run it using process hollowing.

The malware then establishes a connection to a remote server ("mora1987.work[.]gd"), allowing the threat actor to covertly control infected Windows systems, steal sensitive data, and monitor user activity by recording screen content.

Persistence is established by means of a scheduled task ("MasterPackager.Updater") that's activated every two minutes to execute "script.vbs," ensuring that the entire attack is run after a system reboot.

"The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages," Kaspersky said. "The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like Google and Bing."

© 2026 Now Let Us. All rights reserved.

Source: The Hacker News

Advertisement
Ad slot ready: 5887729102

More in this category

NOW LET US Related – FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

cybersecurity

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

The financially-motivated FortiBleed credential-harvesting campaign has been linked to INC and Lynx ransomware operations, exposing a massive infrastructure that targeted over 430,000 FortiGate firewalls globally.

NOW LET US Related – CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

cybersecurity

CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability (CVE-2026-12569) impacting PTC Windchill to its Known Exploited Vulnerabilities (KEV) catalog, warning of active exploitation involving JSP web shells.

NOW LET US Related – New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

cybersecurity

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

DirtyClone (CVE-2026-43503) is a new Linux kernel privilege escalation vulnerability that allows local users to corrupt file-backed memory via cloned network packets and gain root access.

NOW LET US Related – Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

cybersecurity

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Cybersecurity researchers have flagged a new evolution of the supply chain attack linked to the Miasma malware family, compromising npm packages and propagating to the Go ecosystem to harvest developer credentials.

NOW LET US Related – Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

cybersecurity

Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

Despite the abundance of security telemetry, modern SecOps teams struggle to validate active threats. Richard Bejtlich’s 'NDR Essentials' guide explains how Network Detection and Response (NDR) enables proactive interdiction and hypothesis-driven threat hunting in the AI era.

NOW LET US Related – Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

cybersecurity

Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

An international law enforcement collaboration under Operation Endgame has disrupted the infrastructure of the SocGholish malware, taking down 106 servers and cleaning nearly 15,000 compromised WordPress websites.

EXPLORE TOPICS

Discover All Categories

Deep dive into the specific technology sectors that matter most to you.