← All stories
● Covered by 1 source Β· 1 reportMedium impact

Threat Actors Use SEO-Poisoned Sites to Deploy AsyncRAT via ScreenConnect

Aggregated by BrevFeed security Β· updated 22h ago
πŸ”– Save

Cybercriminals are using the ScreenConnect remote access tool to deploy AsyncRAT through compromised installer archives on spoofed websites. The campaign targets multiple languages and has resulted in a significant security risk as it enables attackers to maintain control over compromised devices and steal sensitive data.

Key points

Deployment of AsyncRAT via ScreenConnect

Unknown threat actors are leveraging the ScreenConnect remote access tool to deploy AsyncRAT on compromised devices. Kaspersky has reported that this activity is part of a widespread campaign that distributes malicious installers masquerading as popular software applications.

Massive SEO-Poisoned Campaign

Kaspersky identified over 90 spoofed domain names localized in 10 different languages, including English, Russian, Chinese, and others. These domains were established between August 2025 and March 2026, suggesting a prolonged effort to deceive users into downloading malicious software.

How the Attack Works

The malicious installer archives bundle a legitimate Microsoft install.exe binary with a rogue DLL. Once executed, it deploys the ScreenConnect service, allowing further instructions from the attackers. The attack modifies system settings to disable UAC prompts and create scripts that facilitate the execution of AsyncRAT.

Risk to Users and Organizations

Victims of this campaign can range from individual users to organizations, putting sensitive data at risk of theft. The AsyncRAT allows attackers to covertly access and control infected Windows systems, record user activity, and harvest sensitive information.

Sustained Control and Persistence

The threat actors implement a scheduled task to maintain persistence, executing scripts every two minutes. This ensures that the malware remains active even after a system reboot, posing an ongoing threat to affected users.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

Cybercriminals are using the ScreenConnect remote access tool to deploy AsyncRAT through compromised installer archives on spoofed websites. The campaign targets multiple languages and has resulted in a significant security risk as it enables attackers to maintain control over compromised devices and steal sensitive data.