
SEO Poisoning Hits 90+ Domains to Chain ScreenConnect into AsyncRAT via DLL Sideloading
SEO-optimized fake software sites delivered ScreenConnect via DLL side-loading to execute AsyncRAT on Windows endpoints. Kaspersky documented 90+ domains and the full script chain establishing persistence and C2. The operation highlights scalable search-engine distribution of commodity RATs with direct data-theft risk.
The campaign spoofs OBS Studio, DS4Windows, Bandicam and DNS Jumper pages across English, Russian, Chinese, German, French, Spanish, Portuguese and Arabic domains registered from August 2025 onward. Kaspersky traced the payload: a legitimate install.exe paired with rogue install.res.1033.dll that side-loads ScreenConnect, disables UAC and Defender, then uses process hollowing to inject AsyncRAT. Five files staged in C:\Users\Public maintain the chain.
Technical evidence shows consistent use of living-off-the-land binaries and a two-minute scheduled task named MasterPackager.Updater. The C2 domain and VBScript/PowerShell sequence match prior AsyncRAT deployments, yet the scale—multi-domain SEO rather than single-site watering holes—marks an operational shift toward search-engine distribution.
This pattern echoes documented supply-chain abuse where signed remote-access tools become initial access brokers. Victims span individuals to organizations, exposing credentials and enabling screen capture within weeks. Independent confirmation of the domains and hashes remains limited to Kaspersky telemetry.
Next indicators to watch include new registrations mimicking additional utilities and fresh C2 infrastructure on .work[.]gd or similar TLDs. Contract and procurement records for ScreenConnect licensing may surface enterprise exposure.
Kaspersky: New malicious domains in this campaign will exceed 150 within 90 days if current registration velocity holds.
Sources (3)
- [1]Kaspersky Securelist Analysis(https://securelist.com/seo-poisoned-software-asyncrat/)
- [2]The Hacker News Report(https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html)
- [3]MITRE ATT&CK AsyncRAT Profile(https://attack.mitre.org/software/S1087/)