[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fY54FxWWgNgCDxSR0RhYw6dg6NNh2Z4f7wSTLGZRj0rQ":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"0b9ea9f0-798f-456b-8c5c-001c1f5642a7","The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign","the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-c-5d0448","Kaspersky experts have uncovered a malicious network infrastructure for delivering AsyncRAT. The Trojan is dropped via compromised ScreenConnect software. In this post, we break down the infection chain and analyze the C2 infrastructure.","Kaspersky researchers have uncovered a large-scale campaign using compromised ScreenConnect software to deliver the AsyncRAT trojan. Threat actors are distributing malicious installer archives that masquerade as popular freeware, bundling a legitimate Microsoft installer with a rogue DLL that loads ScreenConnect for C2 communication. This campaign has established over 90 domains across 10 languages, targeting both individuals and organizations.","AsyncRAT deployed via compromised ScreenConnect software disguised as freeware.","Threat Response Table of Contents IntroductionInitial incident investigationHow ScreenConnect entered the systemExpanding the investigationFake domain infrastructureCluster 1: 162.216.241[.]242 and 198.23.185[.]81Cluster 2: 2.59.134[.]97C2 infrastructure analysisTakeawaysDetection by Kaspersky solutionsIndicators of compromiseLoadersMalicious library: install.res.1033.dllAsyncRAT C2Fake websites addressesFake domain infrastructureScreenConnect C2 Introduction To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, and move laterally across the network. During a recent investigation engagement, the Kaspersky Managed Detection and Response (MDR) team discovered the ScreenConnect remote access tool being leveraged to deploy and execute an AsyncRAT payload. A deep dive into this single incident unraveled a massive campaign distributing malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, Bandicam, and others. In total, we uncovered more than 90 domain names localized across 10 languages. The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library. It is loaded onto the device via DLL sideloading and deploys the ScreenConnect service, which awaits further instructions from the threat actors. As a result, what initially appeared to be an isolated ScreenConnect incident served as the starting point for a full investigation into the threat actor’s C2 infrastructure. Every spoofed site we uncovered followed the exact same playbook: dropping a hidden ScreenConnect remote administration service under the guise of a legitimate software installer. This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations. We continue to break down complex, multi-stage incidents like this in our ongoing The SOC Files series. In this post, we take a deep dive into the technical execution of the ScreenConnect attack and analyze the broader infrastructure under the threat actor’s control. Initial incident investigation The investigation was triggered by an alert from Kaspersky MDR, which flagged the creation and execution of suspicious PowerShell and VBS scripts spawned by a ScreenConnect process. About ScreenConnect ScreenConnect is a legitimate remote management utility. Kaspersky solutions detect it as not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen. ScreenConnect was running as an Access-type service — enabling direct remote connectivity — with the server explicitly passed via the command line: ScreenConnect service execution event with suspicious parameters Once running, ScreenConnect created and executed a PowerShell script named Fj5NmEsp9EuKrun.ps1: Malicious PowerShell script creation Below is an excerpt from the contents of the script: Snippet of Fj5NmEsp9EuKrun.ps1 This script configures Microsoft Defender exclusions for the following objects: All disks in the system: C:\\, D:\\, and others All root directories on the C:\\ drive, as well as the C:\\Users\\Public directory RegAsm.exe process Additionally, the script disables User Account Control (UAC) prompts by setting the ConsentPromptBehaviorAdmin registry parameter to 0. Following this setup, the ScreenConnect service goes on to create a VBScript file: Malicious VBScript creation The installer_method3_stream.vbs script creates five files in the C:\\Users\\Public directory (msgbox.txt, secret_bytes.txt, 1.vb, cap.ps1, and script.vbs) and immediately triggers their execution by launching script.vbs. Contents of script.vbs This script terminates all active powershell.exe processes to cover its tracks and executes cap.ps1 in a hidden window. Contents of cap.ps1 cap.ps1 reads the contents of the secret_bytes.txt file, extracts sequences matching the [SXX- pattern, and converts XX from hexadecimal representation to a byte. It then uses a 0xA7 XOR key to decrypt each byte and inverts the bit order. The resulting byte array yields a fully formed PE binary, which is then reflectively loaded into the CLR. Within the loaded assembly, the ConsoleApp1.Module1 type contains a static method named Run. The script uses reflection (Reflection.BindingFlags) to resolve a reference to this method and invoke it. The Run method executes a process hollowing technique (T1055.012), spawning a new RegAsm.exe process with the CREATE_SUSPENDED flag. The deobfuscated and decrypted PE image from secret_bytes.txt is then copied into its address space. As a result, the RegAsm.exe process no longer executes its original code, instead serving as a container for the injected .NET module — which, in this case, is the AsyncRAT remote access Trojan. To establish persistence, the malware schedules a task named MasterPackager.Updater: \"schtasks\" \u002FCreate \u002FTN \"MasterPackager.Updater\" \u002FTR \"wscript.exe \"C:\\Users\\Public\\script.vbs\" \" \u002FSC MINUTE \u002FMO 2 \u002FF 1 \"schtasks\" \u002FCreate \u002FTN \"MasterPackager.Updater\" \u002FTR \"wscript.exe \"C:\\Users\\Public\\script.vbs\" \" \u002FSC MINUTE \u002FMO 2 \u002FF This task triggers every two minutes, ensuring that script.vbs — and consequently the entire loader chain — executes even after a system reboot. Once the entire infection chain successfully executes, the RegAsm.exe process establishes a connection to the C2 domain mora1987[.]work[.]gd. AsyncRAT infection and persistence chain via ScreenConnect How ScreenConnect entered the system A retrospective analysis of the incident allowed us to pinpoint the source of the ScreenConnect installation: a user-downloaded archive named obs-studio-windows-x64.zip. The archive was downloaded from hxxps:\u002F\u002Fwww.studioobs[.]com\u002F, a typosquatted domain mimicking the official site for OBS Studio, a popular open-source screen recording app. This site is present in search engine results; in this specific incident, the user landed on the malicious domain directly from a search query, a vector we analyze in more detail below. Clicking the download button for the supposedly legitimate software triggers a request to the following URL, from which the archive is fetched: hxxps:\u002F\u002Ffileget.loseyourip[.]com\u002Fobs-studio-windows-full\u002FgVOMs5VZ9BtlcaM 1 hxxps:\u002F\u002Ffileget.loseyourip[.]com\u002Fobs-studio-windows-full\u002FgVOMs5VZ9BtlcaM Site used to deliver ScreenConnect The archive contains a legitimate, Microsoft-signed executable named install.exe (87603EA025623B19954E460ADD532048), renamed to masquerade as the OBS Studio installer, along with a malicious library named install.res.1033.dll. Additionally, the archive includes an Assets folder containing both a copy of the actual software being impersonated and the ScreenConnect utility. Contents of obs-studio-windows-x64.zip The complete file structure of the archive is organized as follows: Detailed directory tree of obs-studio-windows-x64.zip When OBS-Studio-Installer.exe is executed, it loads install.res.1033.dll via DLL sideloading. This library contains the instructions required to install both ScreenConnect and OBS Studio. The deployment relies on native Windows utilities (msiexec.exe), but the attackers renamed the standard MSI packages to look like DLL files: Assets\\x86\\Data\\vcredist_x64.dll: ScreenConnect installer Assets\\x86\\Data\\vcredist_x86.dll: OBS Studio installer The contents of the vcredist_x64.dll MSI package are shown below: ScreenConnect installation files The Windows Installer is launched to install ScreenConnect silently in the background without requiring a system reboot: msiexec.exe \u002Fi \"C:\\Temp\\OBS-Studio-Windows-x64\\Assets\\x86\\vcredist_x64.dll\" \u002Fqn \u002Fnorestart 1 msiexec.exe \u002Fi \"C:\\Temp\\OBS-Studio-Windows-x64\\Assets\\x86\\vcredist_x64.d","https:\u002F\u002Fsecurelist.com\u002Ftr\u002Fthe-soc-files-screenconnect-campaign-with-asyncrat\u002F120472\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F06\u002F01082525\u002Fsoc-files-screenconnect-featured-image.jpg","2026-07-01T10:00:51+00:00","2026-07-01T14:00:22.209954+00:00",8,[18,21,24,26,28],{"name":19,"type":20},"ScreenConnect","product",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":20},"OBS Studio",{"name":27,"type":20},"DNS Jumper",{"name":29,"type":20},"DS4Windows","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":30,"icon":32,"name":33,"slug":34},null,"Malware","malware",[36,41,46,48],{"category":37},{"id":38,"icon":32,"name":39,"slug":40},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":42},{"id":43,"icon":32,"name":44,"slug":45},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":47},{"id":30,"icon":32,"name":33,"slug":34},{"category":49},{"id":50,"icon":32,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,58,60,63],{"type":55,"value":56,"context":57},"ip","162.216.241.242","Cluster 1 IP address",{"type":55,"value":59,"context":57},"198.23.185.81",{"type":55,"value":61,"context":62},"2.59.134.97","Cluster 2 IP address",{"type":34,"value":64,"context":65},"AsyncRAT","Payload delivered by the campaign"]