[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLllw67xr-gljpgNH-vwCynZ24kT3Xu6EbrtBPQWgils":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":24,"created_at":25,"published_at":26,"article":27,"tags":31,"podcasts":50},"0e2343e8-2dfb-481b-a7ba-0e1867993236","seo-poisoned-fake-software-sites-drop-asyncrat-via-screenconnect-abuse","f8e0c555-996e-429f-9f30-6c70aa5fe731","SEO-Poisoned Fake Software Sites Drop AsyncRAT via ScreenConnect Abuse","Threat actors are exploiting users' trust in popular software brands by creating SEO-optimized spoofed websites that serve malware-laced downloads instead of legitimate applications like OBS Studio and Bandicam. The attack chain is particularly dangerous because it abuses ScreenConnect — a trusted remote access tool — deployed through DLL side-loading alongside legitimate Microsoft binaries, making detection significantly harder. With over 90 localized domains spanning 10 languages, the campaign demonstrates a sophisticated, scalable social engineering operation targeting both individuals and organizations globally. This matters because once AsyncRAT is installed, attackers gain persistent remote access, enabling data theft, lateral movement, and further compromise. Users who lack awareness of download source verification are disproportionately at risk.","**Immediate actions:**\n- Verify all software downloads exclusively through official vendor websites or trusted package managers, never through search engine ad results or unfamiliar third-party sites.\n- Block or alert on unauthorized installations of remote access tools like ScreenConnect using application control policies.\n- Scan endpoints for AsyncRAT indicators of compromise (IOCs) and DLL side-loading artifacts published by Kaspersky's research.\n\n**Long-term improvements:**\n- Implement application allowlisting to prevent unapproved executables and rogue DLLs from running on endpoints.\n- Deploy a DNS filtering solution to block known malicious or newly registered domains associated with SEO-poisoning campaigns.\n- Establish a formal software procurement policy that mandates verification of download integrity via cryptographic hashes before installation.\n\n**Detection measures:**\n- Enable detailed endpoint telemetry to detect unusual DLL load sequences, especially rogue libraries loaded alongside legitimate Microsoft binaries.\n- Monitor network traffic for unexpected ScreenConnect or other RMM tool connections originating from non-IT user endpoints.\n- Configure SIEM alerting for mass outbound connections or C2 beacon patterns consistent with AsyncRAT behavior.",[12,13,14,15,16,17,18,19,20,21,22,23],"CIS Control 2: Inventory and Control of Software Assets","CIS Control 9: Email and Web Browser Protections","CIS Control 10: Malware Defenses","CIS Control 13: Network Monitoring and Defense","NIST SP 800-53 SI-3: Malicious Code Protection","NIST SP 800-53 CM-7: Least Functionality \u002F Application Allowlisting","NIST SP 800-53 AC-17: Remote Access Control","NIST SP 800-53 RA-5: Vulnerability Monitoring and Scanning","MITRE ATT&CK T1574.002: DLL Side-Loading","MITRE ATT&CK T1219: Remote Access Software","MITRE ATT&CK T1608.006: SEO Poisoning","GDPR Article 32: Security of Processing (for organizations handling personal data on affected systems)","published","2026-07-01T20:21:40.769441+00:00","2026-07-01T20:21:40.66+00:00",{"id":7,"url":28,"slug":29,"title":30},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fseo-poisoned-software-sites-abuse.html","seo-poisoned-software-sites-abuse-screenconnect-to-deploy-asyncrat-c7215c","SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT",[32,38,44],{"id":33,"name":34,"slug":35,"description":36,"color":37},"1732a005-556e-411c-a9db-5edec3058571","Logging & Monitoring","logging-monitoring","Missing logs, no alerting, blind spots","#a855f7",{"id":39,"name":40,"slug":41,"description":42,"color":43},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":45,"name":46,"slug":47,"description":48,"color":49},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308",[]]