ctipilot.ch

SEO-poisoned fake-installer sites trojanize ScreenConnect to deploy AsyncRAT

campaign · campaign:screenconnect-asyncrat-seo-poisoning

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
4
3 hosts
Sections touched
1
research
Co-occurring entities
6
see Related entities below

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    researchFirst coverage: Kaspersky MDR — 90+ domains, DLL sideloading, RegAsm process hollowing, AsyncRAT

Where this entity is cited

  • research1

Source distribution

  • thehackernews.com2 (50%)
  • microsoft.com1 (25%)
  • securelist.com1 (25%)

Related entities

Items in briefs about SEO-poisoned fake-installer sites trojanize ScreenConnect to deploy AsyncRAT (2)

Kaspersky MDR: SEO-poisoned fake-installer sites trojanize ScreenConnect to deploy AsyncRAT

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

Kaspersky's MDR team pivoted from a single flagged incident (suspicious PowerShell/VBS spawned by a ScreenConnect process) into a "massive, multi-domain, multi-language" campaign running since at least August 2025, using 90+ spoofed sites in ten languages — including German and French — impersonating free software such as OBS Studio, DNS Jumper and Bandicam (Kaspersky Securelist, 2026-07-01). Each malicious installer bundles a legitimate Microsoft-signed install.exe alongside a rogue install.res.1033.dll sideloaded via classic DLL search-order abuse; ScreenConnect deploys as an "Access-type" service, then a PowerShell script adds Defender path exclusions for all local drives and C:\Users\Public, disables the UAC consent prompt, and a chained VBScript reconstructs a .NET payload (XOR key 0xA7) that reflectively loads and process-hollows (T1055.012) into a suspended RegAsm.exe acting as the AsyncRAT container, with a two-minute scheduled-task re-trigger for persistence (The Hacker News, 2026-07-01). Detection/hardening: flag ScreenConnect service creation with an explicit relay parameter where the deploying process is a freshly-downloaded installer; alert on Defender exclusions covering full drive roots or C:\Users\Public added via PowerShell rather than GPO/MDM; treat long-lived RegAsm.exe with active network connections as a process-hollowing tell; block DLL sideloading via WDAC/AppLocker on signed binaries' unsigned companion DLLs.

Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

Microsoft Defender Experts documented an active cryptojacking campaign dating from March 2026 that uses GPU-utility brand impersonation (CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear) as initial delivery via SEO poisoning (Microsoft Security Blog, 2026-05-26; The Hacker News, 2026-05-27). The operationally novel evolution is from April 2026: users querying AI chatbots for software-download recommendations were directed to attacker-controlled domains in generated responses — search-poisoning extended into the LLM-generation layer. Delivery chain: (1) fake utility site hosts a ZIP on a gleeze.com subdomain (DDNS via Dynu); (2) ZIP contains the legitimate executable alongside an autorun.dll; (3) DLL side-loading installs vcredist_x64.dll via msiexec.exe — a ScreenConnect packaged installer named to mimic Visual C++ Redistributable; (4) ScreenConnect establishes persistent remote access; (5) the session delivers SimpleRunPE.exe; (6) SimpleRunPE persists via Registry Run keys and scheduled tasks, configures Microsoft Defender exclusions, and uses process hollowing to inject miner code (gminer, lolMiner, SRBMiner-MULTI) into a Microsoft-signed binary. 150+ malicious domains identified since March 2026.

Defender takeaway: AI-search-result poisoning generalises the SEO-poisoning class to the prompt-response surface; orgs adopting AI coding assistants and chatbots should treat outbound URLs in generated responses as untrusted by default. Detection: Sysmon EID 7 loads of a DLL named autorun.dll from non-standard paths; msiexec.exe spawned as a child of a user-facing utility outside admin intent; ScreenConnect (ConnectWise Control) service installation from an unexpected parent process chain; Microsoft Defender exclusion modifications via command-line. Hardening: WDAC blocking unsigned DLLs; AppLocker scoping msiexec.exe to admin context; enable Defender Tamper Protection.