Kaspersky warns of a large-scale сampaign using fake free software to deploy a RAT via ScreenConnect

A remote admin tool ScreenConnect is being distributed through fake websites designed to mimic the official pages of well-known software products. In total, researchers identified more than 90 domains spanning 10 languages, including English, Arabic, Spanish, Chinese, German, Portuguese, and Russian, enabling the attackers to reach a wide range of victims worldwide. The campaign targets both individual users and organizations using Windows.

After detecting an incident through its Managed Detection and Response, Kaspersky uncovered a large-scale campaign in which attackers used fake websites to spread installer archives disguised as popular software, including OBS Studio, DNS Jumper, DS4Windows, Glary Utilities and Bandicam. To drive traffic to these pages, the threat actor also used search engine optimization techniques to place them high in search results.

Across more than 90 identified fraudulent software sites, the same tactic was observed: victims who downloaded what appeared to be legitimate software instead received a hidden ScreenConnect remote administration tool, which gave the attackers persistent access to compromised devices and allowed them to deploy AsyncRAT, an open-source trojan capable of giving them full control over infected systems. Domain registrations linked to this campaign peaked in February 2026; in 2025, the same attacker had used fake websites to disguise malicious installers as games.

Example of a website used by attackers to deliver ScreenConnectExample of a website used by attackers to deliver ScreenConnect

Infection occurs through malicious archives containing a legitimate, signed Microsoft file, install.exe, alongside the install.res.1033.dll library. The DLL is loaded onto the device via a DLL sideloading technique and deploys a ScreenConnect service that awaits further instructions from the attackers.

“The campaign targets both users downloading free utilities from the internet and corporate networks, where remote access tools are often allowlisted and granted elevated privileges. Its danger lies in its potential to facilitate large-scale credential theft and unauthorized access to systems, with the stolen data typically later resold on dark web forums,” says Denis Kulik, lead SOC Analyst at Kaspersky.

The full report is available on Securelist.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here