HackMyIP
← Back to News
2026-07-01 The Hacker News

SEO-Poisoned Sites Drop AsyncRAT via ScreenConnect Side-Load

MalwareThreat IntelPhishing

Threat actors are weaponizing search engine optimization (SEO) poisoning to push fraudulent software download pages that deploy AsyncRAT through the legitimate ScreenConnect remote access tool, according to Kaspersky researchers. The operation spans more than 90 spoofed domain names localized across 10 languages—including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic—many of which were registered between August 2025 and March 2026. These pages masquerade as installers for popular utilities such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam, luring victims who search for these tools into downloading malicious archives.

The infection chain begins with a DLL side-loading technique. The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library. Once executed, the rogue DLL drops the ScreenConnect service, which silently awaits attacker commands. Security researcher Denis Kulik explained that this stage gives threat actors persistent control over compromised endpoints, with victims ranging from individual users to full organizations. From there, a PowerShell script (Fj5NmEsp9EuKrun.ps1) configures Microsoft Defender exclusions, disables User Account Control prompts, and creates a chain of supporting files in the C:\Users\Public directory, including script.vbs, cap.ps1, and secret_bytes.txt. Security teams investigating suspicious endpoints can validate network exposure using the port scanner tool and audit suspicious domains through the WHOIS lookup.

The final payload is extracted from secret_bytes.txt and injected using process hollowing, ultimately launching AsyncRAT. The malware beacons out to the command-and-control server mora1987.work[.]gd, granting operators covert remote control, data theft, screen recording, and surveillance capabilities. Persistence is maintained via a scheduled task named "MasterPackager.Updater," which fires every two minutes to relaunch script.vbs after reboots. Kaspersky warned that the threat actors disguise ScreenConnect as trusted utilities and aggressively promote fraudulent sites in Google and Bing search results—meaning anyone searching for common software downloads could land on a booby-trapped page. Users can verify whether their browsing sessions are leaking identifying data via the browser fingerprint test to reduce exposure to targeted malvertising.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Auth Check →Email Breach Check →DNS Leak Test →

Related Guides

Learn the background behind this story:

How phishing attacks work →How to check if an email is safe →SPF, DKIM & DMARC explained →