How a single ScreenConnect incident exposed a massive campaign
Essential information
- Published
- 01/07/2026 18:52
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asyncrat c2 infrastructure dll sideloading fake software powershell loader process hollowing remote access trojan screenconnect seo poisoning typosquatting
- Related entities
- 108 indicators, 103 observables, 18 techniques (mitre), 2 malware
Description
A massive campaign distributes malicious installer archives hosted on spoofed websites masquerading as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Over 90 domain names localized across 10 languages were discovered. The malicious archives bundle a legitimate Microsoft-signed install.exe binary with a rogue install.res.1033.dll library deployed via DLL sideloading. This installs the ScreenConnect remote access service, which then deploys AsyncRAT payloads through PowerShell and VBS scripts. The threat actors leverage SEO techniques to position fraudulent sites at the top of search engine results, targeting both individual users and corporate networks. The infrastructure spans three IP addresses with domains registered between October 2025 and March 2026, creating a global footprint with multi-language support.