Threat actors are abusing the legitimate ScreenConnect remote access tool as a delivery mechanism for AsyncRAT, according to research from Kaspersky. The campaign is described as “massive, multi-domain, multi-language” in scope, targeting users across multiple regions and language groups.

How the Attack Works

Attackers have constructed spoofed websites designed to impersonate legitimate software download portals. These sites are pushed to the top of search results through SEO poisoning, a technique that manipulates search engine rankings to direct victims toward malicious pages instead of official sources.

Visitors who attempt to download software from these fraudulent sites receive malicious installer archives. The installers masquerade as well-known, trusted applications including OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Once executed, the installer chain leverages ScreenConnect to establish remote access, ultimately deploying AsyncRAT on the compromised host.

Why This Combination Is Effective

Using a legitimate remote access tool like ScreenConnect as an intermediary stage helps attackers blend into normal enterprise traffic and evade detection by security controls that may allowlist recognized remote administration software. AsyncRAT, a publicly available remote access trojan, provides attackers with persistent control over infected systems, including capabilities for keylogging, screen capture, and command execution.

Implications for Defenders

The multi-language nature of the campaign suggests broad geographic targeting rather than a narrowly focused operation. Security teams should consider the following defensive measures:

  • Monitor for unsanctioned ScreenConnect instances appearing on endpoints, particularly those not provisioned through internal IT channels.
  • Restrict software installation to approved sources and enforce application allowlisting where feasible.
  • Educate users about the risks of downloading software through search engine results rather than directly from verified vendor sites.
  • Hunt for AsyncRAT indicators in network traffic and endpoint telemetry, including known command-and-control communication patterns.

The campaign underscores the continued effectiveness of SEO poisoning as an initial access vector, particularly when combined with legitimate tooling to reduce detection friction during later attack stages.