Malware

AsyncRAT Trojan Hidden in 90+ Fake Software Download Sites via DLL Sideloading and ScreenConnect

dark6 3 July 2026
Read Time:2 Minute, 59 Second

A stealthy campaign is turning trusted remote access software into a weapon against everyday users and businesses. Attackers have hidden the AsyncRAT trojan inside fake software installers, letting it slip past basic security checks by relying on DLL sideloading and a legitimate remote-access tool called ScreenConnect.

Analysts at Kaspersky’s Securelist first identified the pattern while responding to an incident flagged by the company’s Managed Detection and Response team. What began as a single suspicious alert grew into a much larger picture: investigators traced the activity to more than 90 fake websites, each built to look like a download page for popular free programs, including OBS Studio, DNS Jumper, Bandicam, and DS4Windows.

How the Infection Chain Works

The attack starts when a user downloads what looks like an ordinary installer, such as a file named obs-studio-windows-x64.zip. Inside sits a legitimate, Microsoft-signed executable renamed to look like the real installer, paired with a malicious library called install.res.1033.dll.

  • The fake installer loads the rogue DLL through sideloading, quietly running hidden code while the genuine free program installs normally
  • ScreenConnect – a remote access tool often permitted by default under workplace security policies – is silently installed in the background
  • ScreenConnect creates a PowerShell script that adds Microsoft Defender exclusions and disables User Account Control prompts
  • A dropped VBScript file decodes a hidden payload using an XOR key before loading it into memory
  • The decoded payload is injected into the legitimate Windows process RegAsm.exe via process hollowing, letting AsyncRAT run disguised as a trusted system component
  • A scheduled task named MasterPackager.Updater keeps the infection chain alive every two minutes, surviving reboots

Because remote administration tools like ScreenConnect are frequently allowlisted in corporate environments, attackers can move around a network without raising the alarms a traditional malicious binary would trigger.

Infrastructure and Scale

Researchers mapped the campaign’s backend to two main infrastructure clusters spread across three IP addresses. One cluster initially used gaming-themed lures before pivoting in January 2026 to disguise its sites as freeware; the other focused entirely on fake software portals from the start. The threat actor registered domains in ten languages and used search engine optimization tricks to push fake pages to the top of results, meaning victims find these sites through ordinary searches rather than phishing emails.

Domain records show the operation launched around October 2025 and paused registration activity by the end of March 2026, though many fraudulent pages remain live today, continuing to serve malware to unsuspecting downloaders.

Indicators of Compromise

  • mora1987.work.gd – AsyncRAT C2 domain
  • servermanagemen.xyz – ScreenConnect C2 domain
  • r.manage-server.xyz – ScreenConnect C2 domain
  • winservec.net – ScreenConnect C2 domain
  • manageserver.xyz – ScreenConnect C2 domain
  • cloudsynn.com – ScreenConnect-related infrastructure

Recommendations for Defenders

Once inside a system, AsyncRAT lets operators steal credentials and maintain long-term access to home and business systems, providing a foothold that can later be sold on dark web marketplaces or used to stage bigger attacks. To reduce exposure, security teams should:

  • Enforce strict application allowlisting and block MSI package installations from unknown or unmanaged sources
  • Continuously monitor for newly installed remote administration services and unfamiliar scheduled tasks
  • Filter outbound traffic to unfamiliar domains and IP addresses to disrupt command-and-control communication
  • Train users to verify software sources and avoid unofficial download sites, since search engine rankings alone cannot be trusted to surface legitimate software

Security teams should treat any leaked credentials from potentially compromised endpoints as an early warning sign, since compromised systems in this campaign frequently serve as an entry point for larger, follow-on attacks.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su AsyncRAT Trojan Hidden in 90+ Fake Software Download Sites via DLL Sideloading and ScreenConnect, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community