216.73.216.86

AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

· Published 19/09/2025 16:05 · Modified 19/09/2025 18:42

Export JSON

Essential information

Published
19/09/2025 16:05
Modified
19/09/2025 18:42
Tags
2025-09-19 CVE-2025-3935 asyncrat c2 infrastructure obfuscation open directories payload staging persistence phishing powershell rat remote access trojan screenconnect
Related entities
8 techniques (mitre), 2 malware, 3 others

Description

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise installers to deliver payloads. Attackers use as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campaign employs modular , native injection techniques, and extensive port/TLS manipulation to maintain resilient command and control infrastructure. Multiple hosts were identified serving similar malware packages, with evidence of payload repackaging and infrastructure rotation to evade detection. The attackers utilize dual execution pathways, aggressive mechanisms, and multi-stage redirect chains to ensure successful compromise across diverse environments.

External references