Home · Briefs · CTI Daily Brief — 2026-07-02
Kaspersky MDR: SEO-poisoned fake-installer sites trojanize ScreenConnect to deploy AsyncRAT
From CTI Daily Brief — 2026-07-02 · published 2026-07-02
Kaspersky's MDR team pivoted from a single flagged incident (suspicious PowerShell/VBS spawned by a ScreenConnect process) into a "massive, multi-domain, multi-language" campaign running since at least August 2025, using 90+ spoofed sites in ten languages — including German and French — impersonating free software such as OBS Studio, DNS Jumper and Bandicam (Kaspersky Securelist, 2026-07-01). Each malicious installer bundles a legitimate Microsoft-signed install.exe alongside a rogue install.res.1033.dll sideloaded via classic DLL search-order abuse; ScreenConnect deploys as an "Access-type" service, then a PowerShell script adds Defender path exclusions for all local drives and C:\Users\Public, disables the UAC consent prompt, and a chained VBScript reconstructs a .NET payload (XOR key 0xA7) that reflectively loads and process-hollows (T1055.012) into a suspended RegAsm.exe acting as the AsyncRAT container, with a two-minute scheduled-task re-trigger for persistence (The Hacker News, 2026-07-01). Detection/hardening: flag ScreenConnect service creation with an explicit relay parameter where the deploying process is a freshly-downloaded installer; alert on Defender exclusions covering full drive roots or C:\Users\Public added via PowerShell rather than GPO/MDM; treat long-lived RegAsm.exe with active network connections as a process-hollowing tell; block DLL sideloading via WDAC/AppLocker on signed binaries' unsigned companion DLLs.