{
  "name": "AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories",
  "slug": "asyncrat-campaigns-uncovered-how-attackers-abuse-screenconnect-and-open-directories",
  "description": "This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campaign employs modular payload staging, native injection techniques, and extensive port/TLS manipulation to maintain resilient command and control infrastructure. Multiple hosts were identified serving similar malware packages, with evidence of payload repackaging and infrastructure rotation to evade detection. The attackers utilize dual execution pathways, aggressive persistence mechanisms, and multi-stage redirect chains to ensure successful compromise across diverse environments.",
  "published": "2025-09-19T14:05:22+00:00",
  "created_at": "2025-09-19T14:05:22+00:00",
  "modified_at": "2025-09-19T16:42:43+00:00",
  "created_at_opencti": "2025-09-19T14:05:22+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-19",
    "CVE-2025-3935",
    "asyncrat",
    "c2 infrastructure",
    "obfuscation",
    "open directories",
    "payload staging",
    "persistence",
    "phishing",
    "powershell rat",
    "remote access trojan",
    "screenconnect"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "0895af71-140c-47c2-bc98-0abc246edf18",
        "name": "PowerShell RAT",
        "slug": "powershell-rat"
      },
      {
        "id": "f200fb60-5446-493f-9712-9f26d65956cc",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      }
    ],
    "attack_patterns": [
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Telecommunications"
      }
    ]
  },
  "external_refs": [
    "https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns#ConnectWise_ScreenConnect_Network_Observables_and_Indicators_of_Compromise_IOCs",
    "https://otx.alienvault.com/pulse/68cd7f421874e12c34532ccf"
  ]
}