90-Domain SEO Campaign Abuses ScreenConnect to Deploy AsyncRAT

Kaspersky exposed a 90-domain SEO poisoning campaign that installs AsyncRAT on Windows via a fake ScreenConnect installer, targeting users across 10 languages.
Table of Contents
    Add a header to begin generating the table of contents

    Kaspersky documented a “massive, multi-domain, multi-language” SEO poisoning campaign that silently installs AsyncRAT on Windows systems by routing victims through fake freeware download sites, a legitimate-looking ScreenConnect installer, and a hidden PowerShell execution chain. The campaign operates across 90 or more spoofed domains targeting popular utilities and has localized content across 10 languages, indicating a global victim pool well beyond any single region.

    How the ScreenConnect Installer Attack Chain Delivers AsyncRAT to Windows Systems

    The infection begins at the point of a web search. Victims searching for freeware tools — OBS Studio, DNS Jumper, DS4Windows, Bandicam, and other common utilities — encounter attacker-controlled domains ranked at the top of search results through SEO poisoning techniques that push the malicious pages ahead of legitimate download sites.

    Clicking through to download delivers a malicious installer archive. The archive contains two components: a legitimate, Microsoft-signed install.exe binary, and a rogue install.res.1033.dll library placed alongside it. When install.exe runs, Windows loads the attacker’s DLL alongside the signed binary — a DLL side-loading technique that allows malicious code to execute within a process carrying a legitimate Microsoft signature.

    The result for the victim is that ScreenConnect installs normally with no visible anomaly. The installer completes, ScreenConnect appears to function as expected, and no malware warning fires at any point. What the victim does not see is that the ScreenConnect service created and executed a PowerShell script in the background during installation.

    PowerShell Chain: Defender Disabled, UAC Suppressed, AsyncRAT Deployed via Process Hollowing

    The hidden PowerShell script takes three preparatory actions before deploying the final payload. It disables Windows Defender real-time protection. It suppresses User Account Control prompts. It then writes and executes a VBScript file that reads AsyncRAT from disk and launches it via process hollowing — injecting the RAT’s code into a legitimate Windows process to hide its execution from process-level monitoring tools.

    By the time AsyncRAT is running, the host’s two primary behavioral defenses have been disabled. Defender real-time protection is off, meaning AsyncRAT’s files and activity will not be scanned. UAC is suppressed, removing the elevation prompt that would otherwise appear for subsequent operations requiring administrative access. The victim’s machine is fully backdoored with no visible indication that the freeware download produced anything other than the expected ScreenConnect installation.

    Ten-Language Targeting Across OBS Studio, DNS Jumper, and Bandicam Fake Sites

    Kaspersky identified more than 90 domain names associated with the campaign, with spoofed download pages for multiple popular freeware tools. The fake sites are localized across 10 languages including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic. The scope of language coverage is a meaningful operational indicator: campaigns targeting a single language group typically represent regional criminal enterprises, while campaigns covering 10 languages represent either a sophisticated single actor or a distribution-as-a-service model serving multiple criminal customers.

    The freeware tools targeted for impersonation were selected for their broad cross-platform appeal and search volume. OBS Studio is widely used for streaming and recording. DNS Jumper and DS4Windows attract technically minded users who are comfortable downloading tools from search results rather than app stores. Bandicam is popular in gaming communities. Each target tool has a large enough download audience that even a small conversion rate on the SEO-poisoned results yields meaningful victim counts.

    AsyncRAT’s Capabilities After Silently Gaining Full Windows Remote Access

    AsyncRAT is a fully featured remote access trojan capable of keylogging, screen capture, file transfer, shell command execution, and persistent backdoor access. Victims of this campaign have given attackers complete, stealthy remote control of their Windows systems. Unlike spyware or infostealers that perform a single collection and exfiltrate, AsyncRAT provides ongoing interactive access — operators can return to compromised hosts at any time, issue commands, collect new data, or deploy additional tools.

    The persistence mechanisms written during installation mean that AsyncRAT survives reboots. Defender being disabled means that subsequent stages or tools deployed via the backdoor will not be scanned. The combination of disabled security software, suppressed elevation prompts, and persistent remote access places affected machines in a condition that is difficult to fully remediate without a complete rebuild.

    Campaign Infrastructure: 90+ Domains Registered Across Multiple Months

    Kaspersky’s analysis of domain registration data found infrastructure activity spanning from August 2025 through March 2026, indicating that the campaign has maintained an active victim delivery pipeline across an extended period. The multi-month domain registration pattern — rather than a burst of registrations just before campaign launch — suggests deliberate operational security and awareness of domain-age scoring in search engine ranking algorithms, where older domains with established registration histories rank more readily in organic search results.

    Organizations should search Kaspersky’s published indicators of compromise for domain names matching the campaign’s pattern and block known malicious domains at the network layer. Endpoint teams should audit systems for unexpected ScreenConnect installations sourced from domains outside the software vendor’s own distribution channels, and review PowerShell execution logs for scripts that disable Defender real-time protection or write VBScript files during or immediately after software installation events.

    Related Posts