Kaspersky reported a large malware campaign that used spoofed, SEO-poisoned software download sites to distribute trojanized installers that silently deployed ScreenConnect and then AsyncRAT. The fake sites impersonated widely used tools including OBS Studio, DNS Jumper, DS4Windows, Bandicam, Glary Utilities, and Process Hacker, targeting both individual users and organizations across localized pages in 10 languages. Researchers identified more than 90 domains tied to the operation and linked the activity to multiple hosting and command-and-control clusters.
The infection chain abused DLL sideloading by pairing a legitimate Microsoft-signed install.exe with a malicious install.res.1033.dll, allowing attackers to covertly install ScreenConnect before launching PowerShell and VBS scripts to weaken defenses and establish persistence. The attackers then injected AsyncRAT into RegAsm.exe using process hollowing, with infrastructure analysis connecting the campaign to ScreenConnect C2 domains and an AsyncRAT controller at mora1987[.]work[.]gd. Kaspersky assessed that the operation began in October 2025, expanded through early 2026, and appeared to pause at the end of March 2026.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On July 1, 2026, Kaspersky published research describing how investigation of a single ScreenConnect incident exposed a broader malware campaign using DLL sideloading, ScreenConnect, PowerShell and VBS scripts, and AsyncRAT process hollowing.
Kaspersky assessed that the observed campaign activity paused at the end of March 2026 after months of distributing trojanized archives that installed ScreenConnect and delivered AsyncRAT.
Through March 2026, the operation expanded to more than 90 domains localized in 10 languages, impersonating popular software such as OBS Studio, DNS Jumper, DS4Windows, Bandicam, Glary Utilities, and Process Hacker to target both individuals and organizations.
Kaspersky assessed that the malware campaign began in October 2025, using spoofed software download sites and SEO poisoning to distribute trojanized installers that covertly installed ScreenConnect and later deployed AsyncRAT.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcescworld.com
Open sourcethehackernews.com
Open sourcesecurelist.ru
Open sourcesecurelist.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.