SEO-Poisoned Fake Software Sites Drop AsyncRAT via ScreenConnect Abuse
Threat actors are exploiting users' trust in popular software brands by creating SEO-optimized spoofed websites that serve malware-laced downloads instead of legitimate applications like OBS Studio and Bandicam. The attack chain is particularly dangerous because it abuses ScreenConnect — a trusted remote access tool — deployed through DLL side-loading alongside legitimate Microsoft binaries, making detection significantly harder. With over 90 localized domains spanning 10 languages, the campaign demonstrates a sophisticated, scalable social engineering operation targeting both individuals and organizations globally. This matters because once AsyncRAT is installed, attackers gain persistent remote access, enabling data theft, lateral movement, and further compromise. Users who lack awareness of download source verification are disproportionately at risk.
Tactical Insight
Immediate actions
- Verify all software downloads exclusively through official vendor websites or trusted package managers, never through search engine ad results or unfamiliar third-party sites.
- Block or alert on unauthorized installations of remote access tools like ScreenConnect using application control policies.
- Scan endpoints for AsyncRAT indicators of compromise (IOCs) and DLL side-loading artifacts published by Kaspersky's research.
Long-term improvements
- Implement application allowlisting to prevent unapproved executables and rogue DLLs from running on endpoints.
- Deploy a DNS filtering solution to block known malicious or newly registered domains associated with SEO-poisoning campaigns.
- Establish a formal software procurement policy that mandates verification of download integrity via cryptographic hashes before installation.
Detection measures
- Enable detailed endpoint telemetry to detect unusual DLL load sequences, especially rogue libraries loaded alongside legitimate Microsoft binaries.
- Monitor network traffic for unexpected ScreenConnect or other RMM tool connections originating from non-IT user endpoints.
- Configure SIEM alerting for mass outbound connections or C2 beacon patterns consistent with AsyncRAT behavior.