logo

The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign

ID: 27796bfe-ce5f-5f19-ba64-8b20b315384a

STIX ID: report--27796bfe-ce5f-5f19-ba64-8b20b315384a

Feed Name: Securelist by Kaspersky

Threat Score
78/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

Author: Denis Kulik

...
...

This investigation details a global, multi-language campaign (Oct 2025–Mar 2026) where threat actors used SEO-boosted spoofed download sites to distribute archives that pair a legitimate signed installer with a malicious DLL (install.res.1033.dll); the DLL is used to sideload and silently install ScreenConnect as a remote access backdoor and to deploy AsyncRAT via reflective loading and process hollowing, enabling persistence, credential theft, and remote control. The report includes infrastructure mapping, numerous IoCs (domains, IPs, hashes), detection rules, and practical mitigation recommendations.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.