SEO Poisoning Campaign Leverages ScreenConnect to Deploy AsyncRAT
A widespread malicious campaign is exploiting SEO poisoning techniques to distribute fake software installers, ultimately deploying the **AsyncRAT** remote access trojan. Threat actors are utilizing legitimate remote access tool **ScreenConnect** as an initial foothold, enabling covert control over compromised systems and data exfiltration.
Unknown threat actors are actively leveraging the **ScreenConnect** remote access tool to deploy and execute **AsyncRAT**.
Cybersecurity firm **Kaspersky** has identified this activity as part of a "massive, multi-domain, multi-language" campaign. The operation distributes malicious installer archives hosted on spoofed websites, effectively masquerading as legitimate software.
These deceptive installers imitate popular applications such as **OBS Studio**, **DNS Jumper**, **DS4Windows**, and **Bandicam**, among others. **Kaspersky** has uncovered over 90 domain names localized across ten languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Intriguingly, some of these domains were registered with future dates, between August 2025 and March 2026.
"The malicious archives bundle a legitimate, signed **Microsoft** install.exe binary alongside a rogue install.res.1033.dll library," explained security researcher **Denis Kulik**. "It is loaded onto the device via DLL side-loading and deploys the ScreenConnect service, which awaits further instructions from the threat actors."
This sophisticated DLL side-loading technique allows attackers to establish persistent control over compromised endpoints, impacting a range of victims from individual users to organizations.
Once **ScreenConnect** is operational, it initiates a PowerShell script (named "Fj5NmEsp9EuKrun.ps1"). This script is designed to disable **Microsoft Defender** exclusions, deactivate **User Account Control (UAC)** prompts, and subsequently create a Visual Basic Script (VBScript) file called "installer_method3_stream.vbs."

The VBScript then creates a set of five files within the "C:\Users\Public directory":
* msgbox.txt
* secret_bytes.txt
* 1.vb
* cap.ps1
* script.vbs
Following this, "script.vbs" is executed. This script terminates all active PowerShell processes and runs "cap.ps1" in a hidden window. The primary function of "cap.ps1" is to read the contents of "secret_bytes.txt," extract the **AsyncRAT** module, and execute it using a **process hollowing** technique.
**AsyncRAT** subsequently establishes a connection to a remote command-and-control server ("mora1987.work[.]gd"). This connection grants the threat actor covert control over infected Windows systems, enabling them to steal sensitive data and monitor user activity through screen recording.
Persistence is maintained via a scheduled task named "MasterPackager.Updater," configured to activate every two minutes and execute "script.vbs." This ensures the attack chain is re-initiated after any system reboot.
"The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages," **Kaspersky** stated. "The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like **Google** and **Bing**."
