Fake software sites are hiding ScreenConnect to drop AsyncRAT
- 2 days ago
- 5 min read

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM
Published By: Purple Shield Security
Published: July 3, 2026
Last updated: July 3, 2026
Quick answer: Kaspersky uncovered more than 90 fake software download sites that use search engine poisoning to trick people into installing ScreenConnect, a legitimate remote access tool. Once installed, it quietly deploys the AsyncRAT Trojan, giving attackers full control of the machine. The bait includes fake OBS Studio, DNS Jumper, and Bandicam installers.
What did Kaspersky actually find?
Kaspersky's Managed Detection and Response (MDR) team traced a single suspicious alert into a sprawling campaign that hides a real remote access tool inside fake software downloads. According to the Securelist writeup published July 1, 2026, the researchers uncovered more than 90 spoofed domains, localized across 10 languages, that push ScreenConnect (a legitimate ConnectWise remote administration tool) onto victim machines and then deploy AsyncRAT, an open-source Trojan.
The fake installers pose as popular free tools: OBS Studio, DNS Jumper, DS4Windows, Bandicam, Glary Utilities, and Process Hacker, among others. Kaspersky says the operator used search engine optimization tricks so these fraudulent pages surface at the top of Google and Bing results, meaning victims arrive without ever seeing a phishing email. Domain registrations tie the activity to a window between roughly October 2025 and March 2026, and Kaspersky notes that many landing pages remained live at publication.
Why does this matter to your business?
It matters because the attacker's foothold is a signed, allowlisted tool, not obvious malware, so your existing controls may wave it through. ScreenConnect is a real product that IT teams use every day, so it carries valid digital certificates and is often on the approved-software list with elevated privileges. That is exactly what makes this campaign dangerous inside a company rather than just on a home PC.
Kaspersky states the campaign targets both individual users and corporate networks, and frames the likely goal bluntly. In the words of Denis Kulik, lead SOC analyst at Kaspersky: "The campaign targets both users downloading free utilities from the internet and corporate networks, where remote access tools are often allowlisted and granted elevated privileges."
Kulik added that the danger lies in its potential to enable large-scale credential theft and unauthorized access, with stolen data typically resold on dark web forums. For a business, that means an employee grabbing a free screen recorder can hand an attacker a persistent, trusted-looking beachhead. From there, stolen credentials become the entry point for the next stage: fraud, data theft, or ransomware.
How does the attack get in?
The entry point is a booby-trapped download archive that installs the real software you wanted alongside a hidden remote access service. In the incident Kaspersky dissected, a user searched for OBS Studio, landed on a typosquatted site, and downloaded a file named obs-studio-windows-x64.zip. Inside sat a genuine Microsoft-signed executable renamed to look like the installer, paired with a malicious library called install.res.1033.dll.
When the fake installer runs, it loads that rogue library through DLL sideloading, a technique that abuses a trusted program to run hidden code. The real application installs normally so nothing looks wrong, while ScreenConnect is silently installed in the background. ScreenConnect then runs a PowerShell script that adds Microsoft Defender exclusions and disables User Account Control prompts, followed by a VBScript chain that decrypts and injects the AsyncRAT payload into a legitimate Windows process (RegAsm.exe) using process hollowing.
Persistence is handled by a scheduled task named MasterPackager.Updater that fires every two minutes, so the malware survives reboots. The final result is a machine calling out to an attacker-controlled server, fully remote-controllable, while looking to most tools like ordinary remote-management traffic.
Why is a legitimate remote tool the dangerous part?
Because your defenses are built to catch malware, and this campaign mostly does not use any, at least not at the front door. Kaspersky even notes that its own products flag ScreenConnect only as "not-a-virus," the classification reserved for legitimate remote admin utilities. Signature-based antivirus has little reason to block a signed, real tool that thousands of legitimate IT teams deploy.
This is the part mainstream coverage underplays. The story is not really "a new Trojan." It is that remote monitoring and management (RMM) tools have become a preferred initial-access method precisely because they are trusted, signed, and frequently allowlisted. When I walk a client through their allowlist, unauthorized ScreenConnect, AnyDesk, or TeamViewer instances are one of the first things a fractional CISO looks for, because an approved-but-unexpected remote tool is often the quietest sign of compromise on the network. A control that says "allow all signed remote admin software" is not a control. It is an open door with a certificate on it.
What should your business do?
Focus on the three things that break this specific chain: control what installs, watch for unexpected remote tools, and treat leaked credentials as an early warning. These are concrete, and none require a big budget.
Lock down installations. Enforce application allowlisting and block MSI package execution from untrusted sources, which is how these fake installers deploy ScreenConnect silently.
Inventory your remote access tools. Know which RMM products (ScreenConnect, AnyDesk, TeamViewer, and similar) are genuinely approved, and continuously monitor for any new remote administration service or scheduled task you did not authorize.
Filter outbound traffic. Block or alert on connections to unknown domains and IP addresses, which is where the ScreenConnect and AsyncRAT command-and-control servers live.
Treat credential leaks as incidents. Kaspersky flags credential theft as the campaign's likely payoff, so a leaked employee login should trigger a response, not a shrug.
Train the download habit. Because SEO poisoning puts fakes at the top of search results, teach staff to reach software from the vendor's official site directly, not from a search result.
If your team does not have a clear answer to "which remote access tools are allowed here, and how would we know if a new one showed up," that is the gap this campaign is built to exploit. Purple Shield Security helps small and mid-sized firms build that visibility through vCISO services and practical risk assessment work, without selling you a stack of tools you do not need.
Frequently asked questions
Is ScreenConnect itself malware?
No. ScreenConnect is a legitimate ConnectWise remote management tool used by many IT teams. The problem here is abuse: attackers install a rogue copy configured to connect to their own servers, then use it to deploy the AsyncRAT Trojan. That is why antivirus tends to classify it as "not-a-virus" rather than blocking it outright.
How would I know if my computer is affected?
Watch for a ScreenConnect or "Microsoft Update Service" install you did not authorize, and a scheduled task named MasterPackager.Updater that runs every two minutes. Outbound connections to unfamiliar domains are another sign. If you found the software through a search result rather than the vendor's official page, treat that download as suspect and have it investigated.
Does antivirus alone stop this campaign?
Not reliably. The initial foothold uses a signed, legitimate tool that signature-based antivirus has little reason to block. Stopping this chain depends more on application allowlisting, monitoring for unexpected remote access services, and outbound traffic filtering than on antivirus catching a known-bad file.
We are a small company. Are we really a target?
Yes. Kaspersky says the campaign hits both individual users and corporate networks, and small firms are attractive because they often lack installation controls and remote-tool monitoring. The likely goal is credential theft for resale, and a small business login can be the entry point for a much larger attack. Company size does not remove you from the target list.
Not sure whether an unauthorized remote access tool could slip onto your network unnoticed? That is a worthwhile conversation. Purple Shield Security is an independent, vendor-neutral advisory firm, so the guidance you get is about protecting your business, not selling you products. Start at purpleshieldsecurity.com.



