AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories
Essential information
- Published
- 19/09/2025 16:05
- Modified
- 19/09/2025 18:42
- Tags
- 2025-09-19 CVE-2025-3935 asyncrat c2 infrastructure obfuscation open directories payload staging persistence phishing powershell rat remote access trojan screenconnect
- Related entities
- 8 techniques (mitre), 2 malware, 3 others
Description
This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campaign employs modular payload staging, native injection techniques, and extensive port/TLS manipulation to maintain resilient command and control infrastructure. Multiple hosts were identified serving similar malware packages, with evidence of payload repackaging and infrastructure rotation to evade detection. The attackers utilize dual execution pathways, aggressive persistence mechanisms, and multi-stage redirect chains to ensure successful compromise across diverse environments.