Published on July 1, 2026

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT


Severity

Medium

Detail

Cybersecurity researchers have uncovered a large-scale malware campaign that abuses the legitimate ScreenConnect remote access tool to deploy AsyncRAT on Windows systems. The campaign relies on spoofed software download websites and search engine optimization (SEO) techniques to trick users into downloading trojanized installers disguised as popular applications such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam.

Researchers identified more than 90 malicious domains across 10 languages, indicating a broad campaign targeting both individual users and organizations.

How?

The attack begins when victims download a fake software installer from a malicious website designed to closely resemble the legitimate vendor’s page. The installer contains a signed Microsoft install.exe binary and a malicious DLL, which is executed through DLL sideloading to silently install the ScreenConnect remote access service.

Once ScreenConnect is established, it executes a PowerShell script that weakens system defenses by adding Microsoft Defender exclusions and disabling User Account Control (UAC). The script then creates several additional PowerShell and VBScript files used to orchestrate the next stages of the attack.

The malware extracts an embedded AsyncRAT payload from a local file and launches it using process hollowing, allowing it to execute while evading detection. AsyncRAT then connects to an attacker-controlled command-and-control (C2) server, enabling remote access, data theft, and screen monitoring on the compromised system.

To maintain persistence, the attackers create a scheduled task named “MasterPackager.Updater”, which executes every two minutes to relaunch the malicious scripts after reboot or interruption.

Conclusion

This campaign demonstrates how threat actors are combining SEO poisoning, DLL sideloading, legitimate remote administration tools, and fileless scripting techniques to compromise Windows systems while minimizing detection.

Organizations should educate users to download software only from official vendor websites, monitor for unauthorized ScreenConnect installations, detect suspicious PowerShell and VBScript execution, and watch for abnormal scheduled task creation. Implementing application control, restricting DLL sideloading opportunities, and monitoring endpoint behavior can significantly reduce the risk of similar attacks.

Source

https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html