AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect for Stealthy Remote Access

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A stealthy campaign is turning trusted remote access software into a weapon against everyday users and businesses. Attackers have hidden the AsyncRAT trojan inside fake software installers, letting it slip past basic security checks.

The campaign relies on DLL sideloading and a legitimate remote tool called ScreenConnect, making it hard for victims to notice anything is wrong.

What began as a single suspicious alert grew into a much larger picture. Investigators traced the activity to more than 90 fake websites, each built to look like a download page for popular free programs.

These sites impersonate tools such as OBS Studio, DNS Jumper, Bandicam, and DS4Windows, tricking users into downloading malware instead of real software.

Analysts at Securelist first identified the pattern while responding to an incident flagged by Kaspersky’s Managed Detection and Response team.

ScreenConnect service execution event with suspicious parameters (Source – Securelist)

Kaspersky said in a report shared with Cyber Security News (CSN) that the alert centered on unusual PowerShell and VBS scripts launched by a ScreenConnect process, a detail that led researchers to unravel the campaign’s full scope.

Remote access tools like ScreenConnect are often allowed by default under workplace security policies, so attackers can move around a network without raising alarms.

Once inside, AsyncRAT lets operators steal credentials and maintain long term access to home and business systems.

The threat actor registered domains in ten languages and used search engine optimization tricks to push fake pages to the top of results, so victims find these sites without any phishing email.

AsyncRAT Campaign Uses DLL Sideloading and ScreenConnect

The attack starts when a user downloads what looks like an ordinary installer, such as a file named obs-studio-windows-x64.zip.

Inside sits a legitimate, Microsoft signed executable renamed to look like the real installer, paired with a malicious library called install.res.1033.dll.

When the fake installer runs, it loads that rogue library through DLL sideloading, a technique that abuses trusted software to quietly run hidden code.

This silently installs ScreenConnect in the background while the genuine free program installs normally, so the victim sees nothing unusual.

Malicious PowerShell script creation (Source – Securelist)

Once active, ScreenConnect creates a PowerShell script that adds exclusions to Microsoft Defender and disables User Account Control prompts, clearing the way for further attacks. It then drops a VBScript file that decodes a hidden payload using an XOR key before loading it into memory.

That decoded payload is injected into a legitimate Windows process called RegAsm.exe through process hollowing.

This lets AsyncRAT run disguised as a trusted system component, while a scheduled task named MasterPackager.Updater keeps the chain alive every two minutes, even after a reboot.

Infrastructure Behind the Campaign

Researchers mapped the campaign’s backend to two main infrastructure clusters spread across three IP addresses.

One cluster initially used gaming themed lures before pivoting in January 2026 to disguise its sites as freeware, while the other focused entirely on fake software portals from the start.

Domain records show the operation launched around October 2025 and paused activity by the end of March 2026, though many fraudulent pages remain live today.

This allowed the attacker to build a sprawling network of lookalike domains covering everyday tools, media players, and game titles.

The likely goal appears to be mass credential theft, giving attackers a foothold they can later sell on dark web marketplaces.

AsyncRAT infection and persistence chain via ScreenConnect (Source – Securelist)

Compromised systems can serve as an entry point for bigger attacks, so teams are urged to treat leaked credentials as an early warning sign.

To reduce exposure, security teams should enforce strict controls on which applications are allowed to run and block MSI package installations from unknown sources.

Continuous monitoring for new remote administration services and scheduled tasks can catch this activity before it spreads.

Filtering outbound traffic to unfamiliar domains and IP addresses adds another layer of defense against command and control communication.

Training users to verify software sources and avoid unofficial download sites also helps, since search engines cannot always be trusted here.

This single incident opened the door to a much larger, multi language campaign built around disguised freeware installers.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain mora1987[.]work[.]gd AsyncRAT C2 domain 
Domain servermanagemen[.]xyz ScreenConnect C2 domain 
Domain r.manage-server[.]xyz ScreenConnect C2 domain 
Domain winservec[.]net ScreenConnect C2 domain 
Domain manageserver[.]xyz ScreenConnect C2 domain 
Domain cloudsynn[.]com ScreenConnect C2 domain 
Domain pingserv[.]pro ScreenConnect C2 domain 
Domain ehostservers[.]xyz ScreenConnect C2 domain 
Domain serverdnsplan[.]net ScreenConnect C2 domain 
Domain pingpanl[.]pro ScreenConnect C2 domain 
Domain managedevice[.]xyz ScreenConnect C2 domain 
Domain edgeserv[.]ru ScreenConnect C2 domain 
IP Address 185.254.97[.]249 Linked to ScreenConnect C2 infrastructure 
IP Address 45.145.41[.]205 Linked to ScreenConnect C2 infrastructure 
IP Address 162.216.241[.]242 Fake domain hosting infrastructure (Cluster 1) 
IP Address 198.23.185[.]81 Fake domain hosting infrastructure (Cluster 1) 
IP Address 2.59.134[.]97 Fake domain hosting infrastructure (Cluster 2) 
URL hxxps://www.studioobs[.]com/ Typosquatted site mimicking OBS Studio 
URL hxxps://fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM Download link for malicious archive 
URL hxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j Download link for malicious DNS Jumper archive 
File Name obs-studio-windows-x64.zip Malicious archive disguised as OBS Studio installer 
File Name install.res.1033.dll Malicious sideloaded DLL library 
File Name Fj5NmEsp9EuKrun.ps1 Malicious PowerShell script for defender exclusions and UAC bypass 
File Name installer_method3_stream.vbs VBScript dropper creating multiple malicious files 
File Name script.vbs VBScript that triggers execution chain 
File Name cap.ps1 PowerShell script that decrypts and loads payload 
File Name secret_bytes.txt Encrypted payload file 
File Name msgbox.txt Dropped file used during infection chain 
File Name 1.vb Dropped file used during infection chain 
File Name vcredist_x64.dll Renamed MSI file for ScreenConnect installer 
File Name vcredist_x86.dll Renamed MSI file for OBS Studio installer 
File Hash 87603EA025623B19954E460ADD532048 Legitimate Microsoft signed install.exe reused for sideloading 
Scheduled Task MasterPackager.Updater Persistence mechanism triggering script.vbs every two minutes 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.