SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT
What happened
Unknown threat actors are using SEO-poisoned software download sites to distribute malicious installer archives that abuse ScreenConnect and ultimately deploy AsyncRAT.
Kaspersky described the activity as a massive, multi-domain, multi-language campaign built around spoofed software websites. The malicious sites impersonate popular tools such as OBS Studio, DNS Jumper, DS4Windows, Bandicam, and other utilities.
Researchers identified more than 90 domains localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Some of the domains were created between August 2025 and March 2026.
The attackers use search engine optimization techniques to push the fraudulent sites higher in Google and Bing results. Victims looking for legitimate software may then land on a fake product page and download a malicious installer archive.
The malicious archive includes a legitimate, signed Microsoft install.exe binary alongside a rogue DLL file. The DLL is loaded through DLL side-loading and deploys the ScreenConnect remote access service.
Once ScreenConnect is running, it waits for instructions from the attackers. This gives the threat actor remote access to compromised endpoints, affecting both individual users and organizations.
The ScreenConnect service then creates and executes a PowerShell script that adds Microsoft Defender exclusions, disables User Account Control prompts, and creates a Visual Basic Script file.
The attack chain drops several files into the C:\Users\Public directory. The VBScript then terminates active PowerShell processes and runs another PowerShell script in a hidden window.
That script extracts the AsyncRAT module from a local file and runs it using process hollowing. AsyncRAT then connects to a remote server, giving attackers the ability to control infected Windows systems, steal sensitive data, and monitor user activity by recording screen content.
Persistence is established through a scheduled task named MasterPackager.Updater, which runs every two minutes and re-executes the malicious script after system reboot.
Who is affected
Windows users who download software from spoofed sites are directly affected.
The campaign is especially relevant to users searching for popular utilities through search engines instead of downloading software directly from official vendor websites.
Organizations may also be affected if employees install software from SEO-poisoned pages on work devices. Once compromised, those systems can be remotely controlled through ScreenConnect and later infected with AsyncRAT.
The risk is higher in environments where users have permission to download and install unsigned or unfamiliar software, where remote access tools are not tightly controlled, and where PowerShell or scheduled task activity is not monitored.
Why CISOs should care
This campaign shows how SEO poisoning can turn ordinary software searches into an initial access path. Users may believe they are downloading familiar tools, but the top search results can lead to spoofed pages hosting malicious installers.
For CISOs, the ScreenConnect abuse is important because legitimate remote access tools can blend into enterprise environments. If remote support tools are allowed or already used internally, malicious deployments may not stand out unless teams monitor installation paths, service creation, and unusual remote access behavior.
The use of DLL side-loading and signed Microsoft binaries also complicates detection. The attack chain starts with a legitimate executable and uses trusted Windows scripting components before delivering AsyncRAT.
The persistence mechanism is also a practical detection opportunity. A scheduled task named MasterPackager.Updater running every two minutes should be investigated, especially if it points to scripts staged in public user directories.
3 practical actions
Restrict software downloads to trusted sources: The campaign relies on spoofed software sites pushed through search engine results. CISOs should require users to download software from official vendor sites, internal software portals, or approved package repositories.
Monitor remote access tool deployment: The attackers used ScreenConnect to maintain control before deploying AsyncRAT. Security teams should inventory approved remote access tools, alert on unauthorized ScreenConnect installations, and review new services, remote sessions, and unexpected support-tool activity.
Hunt for the campaign’s script and persistence behavior: The attack uses DLL side-loading, PowerShell, VBScript, files staged in C:\Users\Public, process hollowing, and a scheduled task named MasterPackager.Updater. Defenders should review endpoint telemetry for these behaviors and investigate unusual AsyncRAT or ScreenConnect connections.
Read more about how threat actors are using different attack methods to deliver malware, steal credentials, and compromise victims across multiple environments:


