Published on July 2, 2026

Hackers Abuse ScreenConnect Remote Access Tool to Deploy AsyncRAT Through Fake Installers


Severity

Medium

Detail

A widespread malware campaign has been observed abusing the legitimate remote access tool ScreenConnect to deploy AsyncRAT through fake software installers disguised as popular freeware applications. The attack chain combines trusted signed binaries, DLL sideloading, reflective loading, and process hollowing to establish stealthy persistence and remote access capabilities on infected systems.

The campaign distributes trojanized installers through typosquatted and spoofed websites impersonating widely used applications such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam. These malicious archives are often localized across multiple languages to increase credibility and victim reach.

Each downloaded package typically contains a legitimate Microsoft-signed executable alongside a malicious DLL and additional components, including a repackaged ScreenConnect installer. Execution begins when the signed executable loads the malicious DLL via sideloading, which then deploys ScreenConnect under misleading service names such as “Microsoft Update Service” and connects it to attacker-controlled infrastructure.

Once installed, ScreenConnect is used to execute PowerShell and VBScript commands that weaken system defenses by adding antivirus exclusions, disabling user account control prompts, and dropping additional payloads in public system directories. A multi-stage loader then decrypts and reconstructs a payload in memory using encoded data, XOR operations, and bit manipulation techniques.

The final payload, AsyncRAT, is reflectively loaded into the system and executed through .NET reflection mechanisms. In some cases, process hollowing is used by injecting the payload into legitimate system processes such as RegAsm.exe, allowing the malware to evade traditional detection techniques.

Persistence is maintained through scheduled tasks configured to repeatedly re-execute the infection chain after system restarts. Supporting infrastructure analysis indicates multiple clusters of command-and-control servers and download hosts, with operations active between October 2025 and March 2026.

Search engine optimization techniques were also used to increase visibility of malicious download pages, causing them to appear in top search results and increasing the likelihood of user infection.

IOCs

  • Domain: mora1987[.]work[.]gd — AsyncRAT command-and-control server
  • URL: hxxps[:]//fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM — Malicious OBS Studio installer download
  • URL: hxxps[:]//direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j — Malicious DNS Jumper installer download

Recommendations

  • Organizations and users are advised to take the following precautions to reduce exposure to this threat:
  • Download software only from official and verified vendor websites and avoid third-party download portals or sponsored search results.
  • Verify digital signatures and file integrity before executing downloaded installers.
  • Monitor for unexpected creation of new services, scheduled tasks, or remote administration tools such as ScreenConnect.
  • Block execution of untrusted MSI and installer files from non-approved sources where possible.
  • Educate users to verify software authenticity before installation, especially when prompted by search engine results or advertisements.

Source

https://gbhackers.com/screenconnect-to-deploy-asyncrat/