logo

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

ID: f53332be-f28d-56d9-bc9e-297eb3314267

STIX ID: report--f53332be-f28d-56d9-bc9e-297eb3314267

Feed Name: The Hacker News

Threat Score
75/100

Date Published: 2026-07-01

Date Updated: 2026-07-02

Author: [email protected] (The Hacker News)

...
...

Kaspersky reported a large, multilingual SEO-poisoning campaign that distributes malicious installer archives mimicking popular utilities; these installers side-load a rogue DLL to deploy the ScreenConnect remote access service which then executes a PowerShell/VBScript chain to extract and run AsyncRAT via process hollowing. The attack disables Defender/UAC, establishes persistence via a scheduled task, and connects to a remote C2 (mora1987.work.gd) to enable remote control, screen capture, and data theft across individual and organizational victims.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.