Source linked

90+ Spoofed Domains in 10 Languages Deliver ScreenConnect as Freeware

securelist.com@threat_watch2 hours ago·Cybersecurity·2 comments

Kaspersky MDR traces a ScreenConnect incident to a campaign using SEO-poisoned typosquatting sites and DLL sideloading to deploy AsyncRAT.

kasperskyscreenconnectasyncratdll sideloadingseo poisoningtyposquatting

Over 90 domain names localized across 10 languages turned a single ScreenConnect alert into a sprawling malware distribution campaign, Kaspersky's MDR team reports. What looked like an isolated remote access incident unraveled into a multi-stage attack chain that starts with a user downloading a fake OBS Studio installer and ends with AsyncRAT running inside a hollowed RegAsm.exe process.

The Typosquatting Playbook

Every spoofed site follows the same recipe: a typosquatted domain (studioobs[.]com instead of obsproject.com), a ZIP archive containing a legitimate Microsoft-signed install.exe renamed to match the target software (e.g., OBS-Studio-Installer.exe), and a malicious install.res.1033.dll loaded via DLL sideloading. The archive also includes an Assets folder holding both the real software and a renamed ScreenConnect MSI package (vcredist_x64.dll). Victims land on these sites through search engines; the attackers actively use SEO poisoning to push their fake portals to the top of Google and Bing results for queries like "OBS Studio download" or "DNS Jumper".

DLL Sideloading into a Signed Binary

The signed Microsoft binary loads install.res.1033.dll, which silently runs msiexec.exe /i on the ScreenConnect MSI without a reboot. A new service named "Microsoft Update Service" appears, connecting to r[.]servermanagemen[.]xyz. Meanwhile, the legitimate software installer runs in the foreground—the user gets their freeware, and ScreenConnect gets a permanent foothold. Kaspersky lists over 20 software titles being impersonated, including DS4Windows, Bandicam, Process Hacker, Glary Utilities, and even game launchers like tModLoader and Monster Hunter Wilds.

From ScreenConnect to AsyncRAT via Process Hollowing

Once ScreenConnect is active, it spawns a PowerShell script (Fj5NmEsp9EuKrun.ps1) that disables Windows Defender exclusions and User Account Control. Then a VBS script creates five files in C:\Users\Public—including a secret_bytes.txt containing an XOR-encrypted (key 0xA7) .NET assembly. That assembly uses process hollowing (T1055.012) on RegAsm.exe, injecting AsyncRAT into a trusted Microsoft binary. Persistence comes from a scheduled task named "MasterPackager.Updater" running wscript.exe script.vbs every two minutes. The AsyncRAT C2 domain: mora1987[.]work[.]gd.

Infrastructure Clusters and SEO Poisoning

Kaspersky mapped the campaign to three IP addresses: two in the US (162.216.241[.]242 and 198.23.185[.]81, hosted by Dynu Systems and NOHAVPS LLC) and one in Germany (2.59.134[.]97, dataforest GmbH). The first cluster initially targeted gaming sites before pivoting to freeware in January 2025; the German cluster skipped games entirely and went straight to software lures. Over 90 domain names were registered between August 2025 and March 2026, with the bulk appearing in early 2026. The download file servers are separate from the landing pages, hosted on fileget.loseyourip[.]com and direct-download.giize[.]com.

This campaign enables credential theft at scale and resale of access on dark web markets. Organizations should enforce application allowlisting, block MSI execution from untrusted sources, and monitor for new remote admin services—especially ScreenConnect services with e=Access in the command line. The search engine angle means even security-conscious users can get burned by a top-ranked fake download link.


Source: The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
Domain: securelist.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.