Back to Feed
MalwareJul 1, 2026

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

SEO-poisoned sites distribute ScreenConnect and AsyncRAT via spoofed software installers.

Summary

Unknown threat actors are conducting a massive, multi-domain campaign distributing AsyncRAT malware through spoofed websites impersonating popular software like OBS Studio and Bandicam. The attack leverages ScreenConnect as a remote access tool, deployed via DLL side-loading of rogue libraries bundled with legitimate Microsoft binaries. Kaspersky identified over 90 localized domains across 10 languages, with victims ranging from individual users to organizations.

Full text

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT Ravie LakshmananJul 01, 2026Malware / SEO Poisoning Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT. Kaspersky said the activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others. The Russian cybersecurity company said it identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Some of these domains were set up between August 2025 and March 2026. "The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library," security researcher Denis Kulik said. "It is loaded onto the device via DLL side-loading and deploys the ScreenConnect service, which awaits further instructions from the threat actors." "This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations." Once ScreenConnect is up and running, the service creates and executes a PowerShell script ("Fj5NmEsp9EuKrun.ps1"), which configures Microsoft Defender exclusions, disables User Account Control (UAC) prompts, and then creates a Visual Basic Script (VBScript) file called "installer_method3_stream.vbs." The script, for its part, creates a set of five files in the "C:\Users\Public directory" - msgbox.txt secret_bytes.txt 1.vb cap.ps1 script.vbs In the next stage, it triggers the execution of "script.vbs," a script that's responsible for terminating all active PowerShell processes and running "cap.ps1" in a hidden window. The primary goal of the PowerShell script is to read the contents of the "secret_bytes.txt" file, extract from it the AsyncRAT module, and run it using process hollowing. The malware then establishes a connection to a remote server ("mora1987.work[.]gd"), allowing the threat actor to covertly control infected Windows systems, steal sensitive data, and monitor user activity by recording screen content. Persistence is established by means of a scheduled task ("MasterPackager.Updater") that's activated every two minutes to execute "script.vbs," ensuring that the entire attack is run after a system reboot. "The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages," Kaspersky said. "The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like Google and Bing." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AsyncRAT, DLL side-loading, Malware, powershell, process hollowing, remote access tool, ScreenConnect, SEO poisoning ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

  • domain — mora1987.work.gd
  • malware — AsyncRAT
  • malware — ScreenConnect

Entities

Unknown threat actors (SEO poisoning campaign) (threat_actor)Kaspersky (vendor)AsyncRAT (product)ScreenConnect (product)OBS Studio (product)SEO-poisoned software distribution campaign (campaign)