Threat actors are exploiting the ScreenConnect remote access tool to deliver and execute the AsyncRAT trojan, according to Kaspersky. The operation is described as a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives through spoofed websites.
These fake sites are designed to appear legitimate by impersonating popular software titles such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam. The attackers use search engine optimization (SEO) poisoning techniques to ensure their malicious pages rank highly in search results, increasing the likelihood of victim exposure.
AsyncRAT is an open-source remote access trojan that enables attackers to monitor user activity, steal credentials, and execute additional payloads. The infection chain begins when a victim downloads and runs a malicious installer from one of the spoofed sites, which then uses ScreenConnect—a legitimate remote support tool—to establish persistence and drop the final payload.
Kaspersky did not disclose how many systems have been compromised or provide specific indicators of compromise. The campaign appears to be ongoing, targeting users searching for free or cracked software across multiple languages and regions.
No patches or vendor-specific mitigations are available because the attack abuses legitimate software features. Users are advised to download software only from official sources and scrutinize URLs before installation. Security teams should monitor for unauthorized ScreenConnect connections and unusual network traffic associated with AsyncRAT.