Fake software sites hide a remote tool that drops AsyncRAT

A single alert about a suspicious remote-access tool turned out to be the thread that unraveled a sprawling malware operation. Kaspersky's Managed Detection and Response team, writing in its SOC Files series, traced a ScreenConnect infection back to a fake OBS Studio download and then to more than 90 spoofed software sites, localized across 10 languages, all quietly installing hidden remote-control software that ends in an AsyncRAT infection.

How victims get infected

The attackers stand up typosquatted sites that impersonate popular free software such as OBS Studio, DNS Jumper, DS4Windows, and Bandicam, and get them to surface in search results. In the case Kaspersky investigated, a user searching for OBS Studio landed on studioobs[.]com, a look-alike of the real site, and downloaded an archive from fileget[.]loseyourip[.]com. The zip bundles a legitimate, Microsoft-signed install.exe alongside a malicious install.res.1033.dll. When the signed binary runs, it sideloads the rogue DLL, which silently installs ScreenConnect, a legitimate remote-administration tool, as a hidden service under the attacker's control.

How the attack works

Because ScreenConnect is signed and often allowlisted by IT teams, it rarely trips alarms. From there the operators run a chain of PowerShell and VBScript that adds Microsoft Defender exclusions, disables User Account Control prompts, and reflectively loads a payload decrypted with a simple XOR key. The final stage uses process hollowing to inject AsyncRAT into a hollowed-out RegAsm.exe process, which beacons to the attacker's command-and-control server. A scheduled task named MasterPackager.Updater relaunches the loader every two minutes so it survives reboots.

Why it matters

Abusing trusted, signed remote tools like ScreenConnect lets attackers hide in plain sight on both home PCs and corporate networks, where the software may already be approved. It is the same fake-installer playbook seen in campaigns that push infostealers through fake app installers, and it works because users trust download sites that rank well in search. The fix is old but effective: download software only from the vendor's official domain, and treat an unexpected ScreenConnect or other remote-admin service as a red flag worth investigating.

Indicators of compromise

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions