Skip to main content
Emerging ThreatsMalware & Ransomware

ScreenConnect Exploited in Large-Scale Campaign Disguised as Freeware

User downloads software from computer in home office, with fake website and zip file in foreground.

Kaspersky's investigation found more than 90 domain names localized across 10 languages used to distribute a hidden ScreenConnect installer that ultimately delivered an AsyncRAT payload.

How ScreenConnect was delivered and installed

The intrusion began with a user-downloaded archive named obs-studio-windows-x64.zip fetched from a typosquatted site, hxxps://www.studioobs[.]com. The archive bundled a legitimate, Microsoft-signed install.exe (renamed to pose as the OBS installer) together with a malicious library, install.res.1033.dll, and an Assets directory that included both the promised application and the ScreenConnect utility. When the fake OBS-Studio-Installer.exe executed, it sideloaded install.res.1033.dll. That DLL invoked msiexec.exe to silently install a ScreenConnect MSI (renamed in the archive as Assets\x86\Data\vcredist_x64.dll), launching msiexec with /qn /norestart. The ScreenConnect install created a service named Microsoft Update Service whose command line specified a server address of r[.]servermanagemen[.]xyz.

AsyncRAT loader chain, code injection, and persistence

Kaspersky MDR traced the post-install activity to a ScreenConnect process that spawned suspicious PowerShell and VBScript files. A PowerShell script named Fj5NmEsp9EuKrun.ps1 configured Microsoft Defender exclusions (all disks, root directories on C:\, C:\Users\Public and RegAsm.exe) and disabled UAC prompts by setting the ConsentPromptBehaviorAdmin registry value to 0. The install_method3_stream.vbs dropper created multiple files in C:\Users\Public and launched script.vbs, which terminated powershell.exe processes and launched cap.ps1 hidden from view.

cap.ps1 reads secret_bytes.txt, extracts byte sequences, XORs each byte with 0xA7 and inverts bit order to reconstruct a PE image. That DLL is reflectively loaded into the CLR; the loaded assembly’s ConsoleApp1.Module1.Run method performs process hollowing (T1055.012) by spawning RegAsm.exe suspended, replacing its memory with the deobfuscated PE (the AsyncRAT module), and resuming execution. The chain creates a scheduled task — MasterPackager.Updater — that runs wscript.exe "C:\Users\Public\script.vbs" every two minutes to enforce persistence. The injected RegAsm.exe instance connects to an AsyncRAT C2 at mora1987[.]work[.]gd.

Infrastructure: domains, hosting clusters, and timelines

Kaspersky mapped the campaign to two clusters of hosting infrastructure. Cluster 1 included IPs 162.216.241[.]242 (Dynu Systems Incorporated) and 198.23.185[.]81 (NOHAVPS LLC); file hosting for the studioobs[.]com lure was served from fileget.loseyourip[.]com, with additional resources on the NOHAVPS host. Cluster 2 centered on 2.59.134[.]97 (dataforest GmbH) which hosted direct-download.giize[.]com and a set of counterfeit freeware portals. The domains in the second cluster were registered between October 2025 and March 2026. Based on domain registration dates, Kaspersky concludes the campaign launched in October 2025 and paused at the end of March 2026, although many landing pages remain indexed in search engines.

  • Example C2 and management domains tied to the campaign: servermanagemen[.]xyz, r.manage-server[.]xyz, winservec[.]net, manageserver[.]xyz, cloudsynn[.]com, pingserv[.]pro, edgeserv[.]ru.
  • AsyncRAT C2 observed: mora1987[.]work[.]gd.
  • Sample fake download hosts: fileget.loseyourip[.]com, direct-download.giize[.]com, file-download-crosshairx.giize[.]com.

Search-engine poisoning and multilingual spoofed portals

The threat actor replicated a consistent playbook across many spoofed sites: craft a convincing product page (OBS Studio, DNS Jumper, DS4Windows, Process Hacker, Glary Utilities among others), push it into organic search results using SEO techniques, and host an archive that pairs a signed install.exe with a sideloaded malicious DLL and an Assets folder containing both the requested app and ScreenConnect. Kaspersky observed most fraudulent sites localized into English, Russian, and Chinese, with additional translations in German, French, Spanish, Arabic and other languages. A representative example is a DNS Jumper fake portal whose download button resolves to hxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j, delivering an archive with the identical malicious structure.

What this means for technologists, enterprise users, and individual downloaders

  • Technologists and security teams: monitor for new remote administration services with unusual parameters (EventID 4697), anomalous child processes spawned by ScreenConnect binaries, scheduled tasks created from public directories (schtasks), and suspicious reflective assembly loading in PowerShell. Kaspersky flags these behaviors with detections such as suspicious_assembly_loading_into_powershell_via_reflection_amsi and scheduled_task_create_from_public_directory_via_schtasks.
  • Enterprise users and procurement teams: enforce stricter application allowlisting, block MSI execution from untrusted sources, filter outbound traffic to unknown domains and IPs, and implement credential-monitoring controls — the report highlights credential theft and unauthorized access as likely objectives.
  • Individual downloaders: verify the authenticity of download sites and installers. The campaigns depend on convincing, localized fake portals and a signed Microsoft binary repackaged with a malicious DLL.

The case began as an alert about ScreenConnect activity and expanded into a broad, multilingual campaign that weaponized DLL sideloading, process hollowing, and persistent scheduled tasks to deliver AsyncRAT. The attack’s reliance on a legitimate signed installer and SEO-driven deception left dozens of live pages and hosting resources that defenders can use as choke points for detection and disruption.

Read the original Kaspersky SOC Files report