SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT
ID: f53332be-f28d-56d9-bc9e-297eb3314267
STIX ID: report--f53332be-f28d-56d9-bc9e-297eb3314267
Feed Name: The Hacker News
Kaspersky reported a large, multilingual SEO-poisoning campaign that distributes malicious installer archives mimicking popular utilities; these installers side-load a rogue DLL to deploy the ScreenConnect remote access service which then executes a PowerShell/VBScript chain to extract and run AsyncRAT via process hollowing. The attack disables Defender/UAC, establishes persistence via a scheduled task, and connects to a remote C2 (mora1987.work.gd) to enable remote control, screen capture, and data theft across individual and organizational victims.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
