VYPR
researchPublished Jul 1, 2026· 1 source

ScreenConnect Campaign Masquerades as Freeware to Deploy AsyncRAT

A widespread campaign is distributing malicious installer archives disguised as popular freeware, leading to the deployment of the ScreenConnect remote access tool and the AsyncRAT malware.

A large-scale cybercriminal operation is actively distributing malicious installer archives that masquerade as legitimate, popular freeware applications. These archives, designed to trick unsuspecting users, contain a dual payload: a legitimate, signed ScreenConnect binary and a rogue DLL file. This setup enables a DLL sideloading technique, where the malicious DLL is loaded by the legitimate ScreenConnect executable, granting attackers initial access and control over the compromised system.

The campaign has been observed distributing these malicious installers through spoofed websites that mimic official download pages for well-known software such as OBS Studio, Bandicam, and others. Researchers have identified over 90 domain names across 10 different languages that are part of this operation. The attackers leverage ScreenConnect, a legitimate remote management utility, to deploy further malicious payloads, disable User Account Control (UAC) prompts, and establish persistence on victim machines. This allows them to harvest data, deploy additional malware, and potentially move laterally within an organization's network.

Kaspersky's Managed Detection and Response (MDR) team first identified this threat when an alert flagged suspicious PowerShell and VBScript executions originating from a ScreenConnect process. Upon investigation, it was revealed that ScreenConnect was running as an Access-type service, with its server address passed via the command line. This initial incident served as the catalyst for a broader investigation into the threat actor's command and control (C2) infrastructure.

The infection chain begins when a user downloads a malicious archive, often from a typosquatted domain that closely resembles a legitimate software site. Once executed, the archive drops a legitimate Microsoft install.exe binary alongside a rogue install.res.1033.dll. This DLL is loaded by install.exe, initiating the ScreenConnect service. The service then executes a PowerShell script that configures Microsoft Defender exclusions for critical system objects and processes, including all disks, root directories, and the RegAsm.exe process. It also disables UAC prompts by modifying a registry key, preventing users from being alerted to privilege escalation attempts.

Following the initial setup, a VBScript file is created and executed, which in turn creates several other files in the C:\Users\Public directory. One of these scripts, cap.ps1, reads encrypted data from a secret_bytes.txt file, decrypts it using an XOR key, and then reflectively loads the resulting PE binary into a legitimate RegAsm.exe process. This process hollowing technique allows the RegAsm.exe process to execute the injected code, which in this case is the AsyncRAT remote access Trojan.

To ensure continued access, the malware establishes persistence by scheduling a task named MasterPackager.Updater. This task is configured to run every two minutes, executing the VBScript loader chain even after a system reboot. Once the infection is fully established, the compromised RegAsm.exe process connects to the threat actor's C2 domain, typically mora1987[.]work[.]gd, to receive further instructions.

The scale of this campaign is significant, with attackers employing a sophisticated social engineering approach by distributing malware through seemingly legitimate software installers. The use of ScreenConnect as an initial access vector, combined with AsyncRAT for post-exploitation, highlights a common tactic of abusing legitimate tools for malicious purposes. The broad range of spoofed software and localized domains suggests a well-resourced and organized threat actor targeting a wide audience of individual users and organizations globally.

Synthesized by Vypr AI