Based on reporting by The Hacker News →
Introduction
A campaign that abuses a legitimate remote-access tool to drop a surveillance-capable trojan shows that threat actors are increasingly turning trusted software into their delivery mechanism. This attack chain, using cloned download portals, demands a fresh look at how organizations validate the software their users install.
The problem
According to a report by The Hacker News, unknown threat actors are running a "massive, multi-domain, multi-language" campaign that leverages the legitimate remote-access tool ScreenConnect to deploy and execute the AsyncRAT trojan. Kaspersky researchers identified that the attackers host malicious installer archives on spoofed websites that impersonate popular software titles — specifically naming OBS Studio, DNS Jumper, DS4Windows, and Bandicam. The victims are lured to these fake portals and download what they believe is a legitimate installer, which instead triggers a chain that installs ScreenConnect and then AsyncRAT.
Consequences
Once AsyncRAT gains a foothold on a victim machine, the attacker can log keystrokes, capture screens, exfiltrate files, and remotely control the system. For a business, this means credential theft, potential lateral movement into internal networks, and data exfiltration that could lead to compliance breaches or ransomware staging. Because the initial vector is a "trusted" tool (ScreenConnect), traditional endpoint controls may not flag it as malicious, extending the dwell time before detection.