Full Report
Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT. Kaspersky said the activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others.
Analysis Summary
# Tool/Technique: SEO Poisoning & ScreenConnect-to-AsyncRAT Delivery
## Overview
This campaign involves a massive, multi-domain SEO poisoning operation where unknown threat actors lure users into downloading malicious installer archives from spoofed websites. The attackers utilize the legitimate remote access tool **ScreenConnect** as an initial access and persistence mechanism to eventually deploy **AsyncRAT** via advanced obfuscation and process injection techniques.
## Technical Details
- **Type:** Malware (AsyncRAT), Potentially Unwanted Tool (ScreenConnect), Technique (SEO Poisoning/DLL Side-loading).
- **Platform:** Windows (Multiple localized versions).
- **Capabilities:** Remote desktop control, data exfiltration, screen recording, credential theft, and disabling security software.
- **First Seen:** Domains registered as early as August 2025; campaign identified active in mid-2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.003 - Phishing: Spearphishing Link (via SEO Poisoned search results)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0004 - Privilege Escalation**
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- **TA0005 - Defense Evasion**
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1562.001 - Impair Defenses: Disable or Modify Tools (Microsoft Defender Exclusions)
- T1055.001 - Process Injection: Process Hollowing
- **TA0011 - Command and Control**
- T1219 - Remote Access Software (ScreenConnect)
## Functionality
### Core Capabilities
- **SEO Poisoning:** Leveraging search engine optimization to rank spoofed websites (mimicking OBS Studio, Bandicam, etc.) at the top of search results.
- **DLL Side-Loading:** Using a signed Microsoft binary (`install.exe`) to load a rogue library (`install.res.1033.dll`).
- **Remote Access (ScreenConnect):** Deploying a legitimate, signed remote management tool to bypass traditional AV and maintain a "living-off-the-land" presence.
### Advanced Features
- **Multi-Stage Scripting:** Sequential execution of PowerShell and VBScripts to chain the infection.
- **Security Impairment:** Automated scripts specifically designed to add Microsoft Defender exclusions and disable UAC prompts.
- **In-Memory Execution:** Extracting AsyncRAT from a byte file (`secret_bytes.txt`) and injecting it into a legitimate process via process hollowing to avoid disk-based detection.
## Indicators of Compromise
- **File Names:**
- `Fj5NmEsp9EuKrun.ps1`
- `installer_method3_stream.vbs`
- `msgbox.txt`, `secret_bytes.txt`, `1.vb`, `cap.ps1`, `script.vbs`
- `install.res.1033.dll`
- **Network Indicators:**
- `mora1987[.]work[.]gd` (C2 Server)
- **Behavioral Indicators:**
- Creation of scheduled task named `MasterPackager.Updater`.
- Mass termination of PowerShell processes followed by a hidden PowerShell window.
- Files created in `C:\Users\Public\`.
## Associated Threat Actors
- **Unknown:** Currently attributed to unidentified threat actors operating a "massive, multi-domain, multi-language" infrastructure.
## Detection Methods
- **Signature-based detection:** Monitoring for the specific rogue DLL (`install.res.1033.dll`) and the known AsyncRAT payloads.
- **Behavioral detection:**
- Monitoring for unexpected ScreenConnect installations on non-admin workstations.
- Flagging PowerShell scripts that add exclusions to Microsoft Defender (`Add-MpPreference -ExclusionPath`).
- Detection of process hollowing (mismatch between PE header and executed code).
## Mitigation Strategies
- **Application Whitelisting:** Restrict the execution of remote access tools (ScreenConnect, AnyDesk, etc.) to authorized administrative accounts only.
- **Endpoint Protection:** Ensure EDR is configured to alert on DLL side-loading and unauthorized tampering with Defender settings.
- **User Training:** Educate users to download software only from official vendor domains and avoid clicking "sponsored" search results for software utilities.
- **Hardening:** Implement "Constrained Language Mode" for PowerShell to limit the impact of malicious scripts.
## Related Tools/Techniques
- **GootLoader:** Also uses SEO poisoning for initial access.
- **Living-off-the-Land (LotL):** The use of legitimate ScreenConnect binaries follows the trend of abusing trusted software for C2.