Cybersecurity researchers have uncovered a large-scale malware campaign in which threat actors are abusing the legitimate ScreenConnect remote access software to deliver AsyncRAT through fake software installers.
Instead of relying on traditional malware downloaders, the attackers combine trusted applications, DLL sideloading, reflective loading, and process hollowing to quietly install remote access malware while avoiding detection.
Fake Software Websites Used as Lures
The attackers created numerous fake download websites designed to imitate popular software applications.
Some of the impersonated software includes:
- OBS Studio
- DNS Jumper
- DS4Windows
- Bandicam
- Other widely used freeware applications
Many of these websites were translated into more than ten languages, allowing the campaign to target users across multiple regions.
Researchers also found that search engine optimization (SEO) techniques helped these malicious websites appear higher in search results, increasing the likelihood that users would download the infected installers.
How the Infection Works
Each downloaded archive contains a mix of legitimate and malicious files.
The package typically includes:
- A legitimate Microsoft-signed install.exe
- A malicious install.res.1033.dll
- An Assets folder containing the legitimate software
- A renamed ScreenConnect MSI installer disguised as a trusted file, such as vcredist_x64.dll
When the user launches the installer, the signed executable automatically loads the malicious DLL through DLL sideloading.
The DLL silently installs the ScreenConnect service and registers it under names that appear legitimate, such as Microsoft Update Service, before connecting the infected system to attacker-controlled servers.
Multiple Techniques Used to Evade Detection
Once ScreenConnect is installed, attackers execute PowerShell and VBScript commands to strengthen their foothold on the system.
The scripts perform several actions, including:
- Adding Microsoft Defender exclusions for entire drives and important processes.
- Disabling User Account Control (UAC) prompts.
- Dropping additional malware components into the C:\Users\Public directory.
The malware then decrypts an encrypted payload stored in secret_bytes.txt. A PowerShell script named cap.ps1 reconstructs the payload by decoding hexadecimal data, applying XOR decryption, and rebuilding the executable entirely in memory.
The recovered .NET assembly is loaded directly into memory using reflective loading, avoiding the need to write the malware to disk.
AsyncRAT Deployed Through Process Hollowing
To further reduce detection, the malware launches RegAsm.exe in a suspended state before replacing its memory with the AsyncRAT payload using process hollowing.
Running the malware inside a legitimate Windows process helps it blend in with normal system activity and bypass some security tools that rely on process reputation.
Persistence and Infrastructure
To maintain long-term access, the attackers create a scheduled task named MasterPackager.Updater.
The task runs every two minutes, allowing the malware to restart automatically after reboots or if its processes are terminated.
Kaspersky researchers also identified two major infrastructure clusters supporting the campaign.
The operation used:
- Multiple command-and-control (C2) servers
- Numerous spoofed domains
- Separate download servers for malware archives
- ScreenConnect configuration files pointing to attacker infrastructure
Based on domain registration data, researchers believe the campaign has been active since October 2025 and continued operating through March 2026, with several fake download websites still accessible online.
Security Recommendations
Because this campaign abuses trusted software and legitimate administrative tools, organizations should strengthen their defenses against both malware and software supply chain attacks.
Security teams should consider the following measures:
- Download software only from official vendor websites.
- Block MSI installers from untrusted locations.
- Monitor for newly created Windows services and scheduled tasks.
- Detect unusual DLL sideloading activity.
- Watch for suspicious use of PowerShell, VBScript, and signed Windows binaries.
- Monitor outbound connections to unknown remote management servers.
- Keep endpoint protection enabled and regularly updated.
- Educate users to verify download sources before installing software.
This campaign demonstrates how attackers continue to blend legitimate administration tools with advanced malware techniques. By combining trusted software, stealthy execution methods, and fake software distribution sites, threat actors can significantly increase the chances of compromising both individual users and enterprise environments.
IOCs
| Type | Indicator | Description |
|---|---|---|
| Domain | mora1987[.]work[.]gd | AsyncRAT C2 server domain |
| URL | hxxps[:]//fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM | Malicious OBS Studio installer download link |
| URL | hxxps[:]//direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j | Malicious DNS Jumper installer download link |