Campaign Exploits Legitimate Software for Malicious Aims
A significant cyberattack campaign has been uncovered, revealing that attackers have been misusing the trusted remote administration tool, ScreenConnect, to deliver the AsyncRAT malware disguised as legitimate software installers. This alarming incident illustrates a growing trend in cybercrime: the weaponization of legitimate tools and practices to execute malicious activities.
The operation employs a sophisticated infection chain that takes advantage of trusted binaries, DLL sideloading, reflective loading, and process hollowing techniques. These tactics are designed to provide stealthy persistence and remote control capabilities, effectively undermining the security measures that organizations often place in remote management tools. By exploiting the inherent trust associated with these applications, attackers can gain unauthorized access to sensitive systems without raising immediate suspicion.
Delivery Mechanism and Spoofed Downloads
At the heart of this campaign lies a highly reproducible delivery mechanism. Cybercriminals have created numerous typosquatted and spoofed download portals that closely mimic those of popular free software, including OBS Studio, DNS Jumper, DS4Windows, and Bandicam. To broaden their impact, these malicious sites have been localized into more than ten languages, enabling the attackers to reach a global audience.
Each archive downloaded by unsuspecting users contains a legitimate Microsoft-signed installer, named install.exe, alongside a malicious companion file, install.res.1033.dll. Additionally, the archive includes an Assets folder that holds both the impersonated software and a repackaged version of ScreenConnect, cleverly disguised with misleading filenames such as vcredist_x64.dll. This tactic aims to ensure that victims unknowingly install malicious components alongside the legitimate software they believe they are downloading.
Execution and Escalation of Privileges
The execution process kicks off when the signed install.exe is launched; this file subsequently loads the rogue DLL through DLL sideloading. In a seamless operation, the DLL commands the msiexec executable to silently install the ScreenConnect service under seemingly innocuous names—an approach designed to obfuscate the activities from both users and security systems. For instance, the service might operate under the alias "Microsoft Update Service," which could readily disarm alerts that would ordinarily flag suspicious activity.
Once the malicious software is active, it executes a series of scripts in PowerShell and VBScript that effectively solidify the attackers’ foothold. Notably, these scripts create exclusions within Windows Defender for critical processes and entire disk roots, disable User Account Control (UAC) prompts, and deposit further malicious components in C:\Users\Public. This stage is crucial, as it sets the groundwork for long-term remote access and control.
Advanced Payload Delivery Systems
A sophisticated layered loader unpacks a blob of encrypted data, known as secret_bytes.txt. Another script, referred to as cap.ps1, decodes this data. It employs methods such as converting hex-tagged sequences, XORing them with 0xA7, and inverting bits to reconstruct a Portable Executable (PE) image. This multi-layered approach allows the attackers to remain undetected by traditional security software, which often scrutinizes known malware signatures.
Researchers from Kaspersky’s Managed Detection and Response (MDR) team identified instances where the ScreenConnect tool was used to deploy and execute the AsyncRAT payload. This innovative technique involved reflectively loading .NET assemblies into the Common Language Runtime (CLR) and invoking methods through reflection, complicating the detection process.
Persistence Mechanisms and Infrastructure
Further investigation revealed that the attackers ensured persistence via a scheduled task—named MasterPackager.Updater—that results in re-triggering the loader chain at two-minute intervals, thereby reinstating access after system reboots. Kaspersky’s analysis identified two main infrastructure clusters consisting of multiple IPs and numerous domains.
The archives utilized in distribution were hosted on separate file repositories and download nodes, while the configurations of ScreenConnect, including access files located within CABs, revealed a broad Command and Control (C2) infrastructure to manage both ScreenConnect and AsyncRAT components. Registration timestamps showed that this operation had begun in October 2025 and remained active through March 2026; many of the spoofed pages continue to be easily discoverable.
Rising Threats and Defensive Strategies
This campaign is emblematic of several escalating threats in the cybersecurity landscape. It highlights the misuse of legitimate remote administration tools, the weaponization of signed binaries through DLL sideloading, and the intricate multi-stage loaders that reconstruct and execute payloads directly in memory. Moreover, the attackers’ deployment of search engine optimization tactics ensured that their malicious landing pages appeared prominently in organic search results, significantly increasing the chances that victims would unknowingly download harmful software.
To combat this evolving threat landscape, organizations need to prioritize defensive measures. This includes implementing strict application allowlisting, blocking MSI executions from untrusted locations, vigilant monitoring for new service creations and scheduled tasks, flagging unusual usage of signed system or installer binaries, filtering outbound connections to unfamiliar domains, and continually educating users on verifying download sources.
Conclusion
The exploitation of a trusted remote administration tool, like ScreenConnect, serves as a stark reminder of the sophistication involved in modern cyberattacks. Organizations must take proactive steps to secure their networks, recognizing that in the realm of cybersecurity, trust can be their greatest vulnerability.

