216.73.217.172

How a single ScreenConnect incident exposed a massive campaign

· Published 01/07/2026 18:52

Export JSON

Essential information

Published
01/07/2026 18:52
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
asyncrat c2 infrastructure dll sideloading fake software powershell loader process hollowing remote access trojan screenconnect seo poisoning typosquatting
Related entities
108 indicators, 103 observables, 18 techniques (mitre), 2 malware

Description

A massive campaign distributes malicious installer archives hosted on spoofed websites masquerading as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Over 90 domain names localized across 10 languages were discovered. The malicious archives bundle a legitimate Microsoft-signed install.exe binary with a rogue install.res.1033.dll library deployed via . This installs the remote access service, which then deploys payloads through PowerShell and VBS scripts. The threat actors leverage SEO techniques to position fraudulent sites at the top of search engine results, targeting both individual users and corporate networks. The infrastructure spans three IP addresses with domains registered between October 2025 and March 2026, creating a global footprint with multi-language support.

External references