New Research Uncovers Trojans in Search Engine Poisoning Campaign
Recent investigations have unveiled a concerning campaign of search engine poisoning designed to target users searching for the popular open-source data recovery tool, TestDisk. This operation employs a trojanized version of the TestDisk installer and makes use of a Microsoft-signed binary to facilitate DLL sideloading. Furthermore, it deploys the ScreenConnect remote monitoring and management (RMM) client stealthily, granting malicious actors hands-on control over compromised systems.
Deceptive Download Practices
The threats surface from a rogue domain mimicking the branding of the legitimate TestDisk application, theatrically advertising itself as “The Ultimate Open‑Source Data & Partition Recovery Solution.” On this bogus site, users are lured in by a prominent free download button for versions 7.2 and 7.3 of TestDisk. However, the actual installers provided are far from legitimate.
Behind the façade, sophisticated obfuscated JavaScript operates on the rogue site, dynamically generating one-time download URLs that direct users to compromised delivery domains like direct-download.gleeze[.]com. These deceptive tactics help assailants evade detection by standard security measures that rely on static URL blocking.
Threat hunters have observed that naive users actively searching for “TestDisk” may inadvertently stumble upon this counterfeit site, which ranks alongside the authentic CGSecurity TestDisk project in online search results. Instead of receiving a genuine installer, victims end up with a ZIP file containing a suspicious executable named testdisk-7.3.exe, which masquerades as the legitimate setup file.
The Sideloading Scheme
In truth, the executable is not what it seems; it is a disguise for a legitimate Microsoft Setup binary that has been repurposed as a loading mechanism in a traditional DLL sideloading attack. When a victim runs this deceptive TestDisk installer, the signed Microsoft binary searches for a companion DLL nestled within its working directory. This DLL, dubbed autorun.dll, has been stealthily planted by the attackers.
Due to the trusted Microsoft signature associated with the host executable, security systems often regard its execution as harmless, thus permitting the malicious DLL to activate with minimal alerts. Once unleashed, the DLL initiates a chain of payload deliveries. This includes not only a legitimate version of TestDisk but also various malware components designed to operate undetected and ensure persistence.
Unmasking the Remote Access Trojan (RAT) Capabilities
Among the significant payloads is an MSI installer that bundles a trojanized version of the ScreenConnect client, configured to connect back to an infrastructure controlled by the attackers. Upon installation, this rogue ScreenConnect client automatically registers the compromised system with an external ScreenConnect server, granting the attackers complete remote control capabilities. These capabilities include file transfers, command executions, and extensive lateral movement across the targeted network.
This nefarious tactic aligns with a broader trend wherein threat actors exploit actual, legitimate ScreenConnect installers or configurations to transform the RMM tool into a Remote Access Trojan (RAT) without altering its original code. Given that ScreenConnect is widely utilized by IT departments and Managed Service Providers (MSPs), its presence on a network can easily blend with regular administrative activities, especially if organizations fail to meticulously track their approved RMM endpoints.
With this foothold, attackers gain the ability to deploy additional malicious tools, harvest sensitive credentials, exfiltrate valuable data, and even stage ransomware attacks.
Recommendations for Protection
In light of these developments, defenders are strongly advised to monitor traffic related to the domain testdisk[.]dev, and the download infrastructure based at direct-download.gleeze[.]com. Security teams should keep a lookout for suspicious access involving the indicator IP address 193.42.11.108 and track the known malicious SHA‑256 hash 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5.
Apart from these technical defenses, organizations are encouraged to maintain an explicitly authorized list of ScreenConnect servers and client configurations. They should block any unknown ScreenConnect relay domains and set up alerts for new installation events involving ScreenConnect on endpoints that are not officially managed by IT.
Finally, user training remains a critical line of defense. Individuals should be educated to navigate directly to the official TestDisk site (CGSecurity), rather than relying on search engines alone. This proactive approach can significantly reduce exposure to SEO-poisoned links, which are becoming a pervasive element in initial access strategies employed by cybercriminals.
In conclusion, as the landscape of cyber threats becomes increasingly sophisticated, vigilance and education prove paramount in safeguarding systems from these illicit activities.