Skip to main content
Emerging ThreatsMalware & Ransomware

Kaspersky Exposes AsyncRAT Campaign Using ScreenConnect

Cluttered office desk with laptop, papers, and storage devices.

"The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library," security researcher Denis Kulik said.

How Kaspersky describes the campaign

According to Kaspersky, unknown threat actors are running a "massive, multi-domain, multi-language" operation that uses spoofed software download sites to deliver a multi-stage infection chain. The campaign distributes malicious installer archives that masquerade as popular utilities such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Kaspersky identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. Some of those domains were registered between August 2025 and March 2026.

DLL side‑loading and deployment of ScreenConnect

Kulik and Kaspersky report that the delivered archives combine a legitimate, signed Microsoft install.exe with a rogue install.res.1033.dll. That rogue library is loaded through DLL side‑loading, which in turn deploys the ScreenConnect remote access service on the targeted Windows hosts. "This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations," Kaspersky said.

PowerShell, VBScript, and the extraction of AsyncRAT

Once ScreenConnect is active, the service creates and executes a PowerShell script named "Fj5NmEsp9EuKrun.ps1." Kaspersky says that script configures Microsoft Defender exclusions, disables User Account Control (UAC) prompts, and creates a Visual Basic Script named "installer_method3_stream.vbs." That VBScript then writes five files into the C:\Users\Public directory:

  • msgbox.txt
  • secret_bytes.txt
  • 1.vb
  • cap.ps1
  • script.vbs

The chain continues when "script.vbs" is executed. That script terminates all active PowerShell processes and launches "cap.ps1" in a hidden window. Kaspersky reports the primary task of the PowerShell component is to read the contents of "secret_bytes.txt," extract an AsyncRAT module from it, and load that module into memory using process hollowing.

Remote control, data theft, and persistence

After AsyncRAT is running, the malware reaches back to a remote server at "mora1987.work[.]gd." Kaspersky says that connection gives the threat actor the ability to covertly control infected Windows systems, steal sensitive data, and monitor user activity by recording screen content. Persistence is established through a scheduled task named "MasterPackager.Updater" that is configured to run "script.vbs" every two minutes, ensuring the attack sequence is re‑executed after a reboot.

What this means for technologists, procurement leads, and end users

Technologists and security teams should be aware that this campaign leverages a legitimate, signed install.exe together with a rogue DLL to side‑load ScreenConnect, and then uses named artifacts in the wild — for example, the PowerShell script "Fj5NmEsp9EuKrun.ps1," the VBScript "installer_method3_stream.vbs," the file "secret_bytes.txt," and the scheduled task "MasterPackager.Updater." Detection and hunting should include checks for those filenames, unexpected ScreenConnect services, and process hollowing behavior tied to PowerShell-launched payloads.

Procurement and enterprise leaders should note the attackers' use of fraudulent websites that mimic vendor pages and rely on search engine optimization to appear at the top of results in engines like Google and Bing. Kaspersky calls out the deliberate localization of over 90 domains across multiple languages to widen reach and credibility.

End users are the immediate targets of the spoofed download pages: the campaign impersonates widely used utilities such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Users relying on search results for downloads may encounter these poisoned pages and installers that combine legitimate signed binaries with malicious DLLs.

Kaspersky's findings show a carefully composed attack chain: SEO‑pushed spoofed sites deliver archives that side‑load a legitimate setup binary and a malicious DLL, install ScreenConnect, run named scripts that disable defenses, extract AsyncRAT from an on‑disk blob, and ensure rapid re‑execution via a two‑minute scheduled task. The campaign's breadth — more than 90 localized domains and registration activity across August 2025–March 2026 — underscores the attackers' operational scale and the specific artifacts defenders can look for.

Read the original Kaspersky summary at the source article.