The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign

    Introduction

    To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, and move laterally across the network.

    During a recent investigation engagement, the Kaspersky Managed Detection and Response (MDR) team discovered the ScreenConnect remote access tool being leveraged to deploy and execute an AsyncRAT payload.

    A deep dive into this single incident unraveled a massive campaign distributing malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, Bandicam, and others. In total, we uncovered more than 90 domain names localized across 10 languages. The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library. It is loaded onto the device via DLL sideloading and deploys the ScreenConnect service, which awaits further instructions from the threat actors.

    As a result, what initially appeared to be an isolated ScreenConnect incident served as the starting point for a full investigation into the threat actor’s C2 infrastructure. Every spoofed site we uncovered followed the exact same playbook: dropping a hidden ScreenConnect remote administration service under the guise of a legitimate software installer. This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations.

    We continue to break down complex, multi-stage incidents like this in our ongoing The SOC Files series. In this post, we take a deep dive into the technical execution of the ScreenConnect attack and analyze the broader infrastructure under the threat actor’s control.

    Initial incident investigation

    The investigation was triggered by an alert from Kaspersky MDR, which flagged the creation and execution of suspicious PowerShell and VBS scripts spawned by a ScreenConnect process.

    About ScreenConnect

    ScreenConnect is a legitimate remote management utility. Kaspersky solutions detect it as not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen.

    ScreenConnect was running as an Access-type service — enabling direct remote connectivity — with the server explicitly passed via the command line:

    ScreenConnect service execution event with suspicious parameters

    ScreenConnect service execution event with suspicious parameters

    Once running, ScreenConnect created and executed a PowerShell script named Fj5NmEsp9EuKrun.ps1:

    Malicious PowerShell script creation

    Malicious PowerShell script creation

    Below is an excerpt from the contents of the script:

    Snippet of Fj5NmEsp9EuKrun.ps1

    Snippet of Fj5NmEsp9EuKrun.ps1

    This script configures Microsoft Defender exclusions for the following objects:

    • All disks in the system: C:, D:, and others
    • All root directories on the C: drive, as well as the C:UsersPublic directory
    • RegAsm.exe process

    Additionally, the script disables User Account Control (UAC) prompts by setting the ConsentPromptBehaviorAdmin registry parameter to 0.

    Following this setup, the ScreenConnect service goes on to create a VBScript file:

    Malicious VBScript creation

    Malicious VBScript creation

    The installer_method3_stream.vbs script creates five files in the C:UsersPublic directory (msgbox.txt, secret_bytes.txt, 1.vb, cap.ps1, and script.vbs) and immediately triggers their execution by launching script.vbs.

    Contents of script.vbs

    Contents of script.vbs

    This script terminates all active powershell.exe processes to cover its tracks and executes cap.ps1 in a hidden window.

    Contents of cap.ps1

    Contents of cap.ps1

    cap.ps1 reads the contents of the secret_bytes.txt file, extracts sequences matching the [SXX- pattern, and converts XX from hexadecimal representation to a byte. It then uses a 0xA7 XOR key to decrypt each byte and inverts the bit order. The resulting byte array yields a fully formed PE binary, which is then reflectively loaded into the CLR.

    Within the loaded assembly, the ConsoleApp1.Module1 type contains a static method named Run. The script uses reflection (Reflection.BindingFlags) to resolve a reference to this method and invoke it.

    The Run method executes a process hollowing technique (T1055.012), spawning a new RegAsm.exe process with the CREATE_SUSPENDED flag. The deobfuscated and decrypted PE image from secret_bytes.txt is then copied into its address space. As a result, the RegAsm.exe process no longer executes its original code, instead serving as a container for the injected .NET module — which, in this case, is the AsyncRAT remote access Trojan.

    To establish persistence, the malware schedules a task named MasterPackager.Updater:

    "schtasks" /Create /TN "MasterPackager.Updater" /TR "wscript.exe "C:UsersPublicscript.vbs" " /SC MINUTE /MO 2 /F

    This task triggers every two minutes, ensuring that script.vbs — and consequently the entire loader chain — executes even after a system reboot.

    Once the entire infection chain successfully executes, the RegAsm.exe process establishes a connection to the C2 domain mora1987[.]work[.]gd.

    AsyncRAT infection and persistence chain via ScreenConnect

    AsyncRAT infection and persistence chain via ScreenConnect

    How ScreenConnect entered the system

    A retrospective analysis of the incident allowed us to pinpoint the source of the ScreenConnect installation: a user-downloaded archive named obs-studio-windows-x64.zip.

    The archive was downloaded from hxxps://www.studioobs[.]com/, a typosquatted domain mimicking the official site for OBS Studio, a popular open-source screen recording app. This site is present in search engine results; in this specific incident, the user landed on the malicious domain directly from a search query, a vector we analyze in more detail below.

    Clicking the download button for the supposedly legitimate software triggers a request to the following URL, from which the archive is fetched:

    hxxps://fileget.loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM

    Site used to deliver ScreenConnect

    Site used to deliver ScreenConnect

    The archive contains a legitimate, Microsoft-signed executable named install.exe (87603EA025623B19954E460ADD532048), renamed to masquerade as the OBS Studio installer, along with a malicious library named install.res.1033.dll. Additionally, the archive includes an Assets folder containing both a copy of the actual software being impersonated and the ScreenConnect utility.

    Contents of obs-studio-windows-x64.zip

    Contents of obs-studio-windows-x64.zip

    The complete file structure of the archive is organized as follows:

    Detailed directory tree of obs-studio-windows-x64.zip

    Detailed directory tree of obs-studio-windows-x64.zip

    When OBS-Studio-Installer.exe is executed, it loads install.res.1033.dll via DLL sideloading. This library contains the instructions required to install both ScreenConnect and OBS Studio. The deployment relies on native Windows utilities (msiexec.exe), but the attackers renamed the standard MSI packages to look like DLL files:

    • Assetsx86Datavcredist_x64.dll: ScreenConnect installer
    • Assetsx86Datavcredist_x86.dll: OBS Studio installer

    The contents of the vcredist_x64.dll MSI package are shown below:

    ScreenConnect installation files

    ScreenConnect installation files

    The Windows Installer is launched to install ScreenConnect silently in the background without requiring a system reboot:

    msiexec.exe /i "C:TempOBS-Studio-Windows-x64Assetsx86vcredist_x64.dll" /qn /norestart

    Once the installation wraps up, a new service named Microsoft Update Service is created. The command line for this service explicitly defines the connection server as r[.]servermanagemen[.]xyz.

    Meanwhile, the MSI package for the actual OBS Studio software runs using a standard graphical user interface.

    ScreenConnect and OBS Studio installation workflow

    ScreenConnect and OBS Studio installation workflow

    Expanding the investigation

    The attackers’ reliance on the legitimate install.exe binary provided a crucial pivot point for our broader investigation. We discovered that this specific file was being deployed in the wild under a variety of suspicious aliases, including:

    • ds4windows.exe
    • crosshairx_installer.exe
    • obs-studio-installer.exe
    • dns jumper.exe
    • glary utilities pro.exe
    • processhacker-2.39-setup.exe

    These file names indicate that the threat actor was disguising their ScreenConnect archives as popular utilities beyond OBS Studio. Among the fakes, we identified counterfeit installers for DS4Windows, DNS Jumper, Glary Utilities, and Process Hacker. Crucially, when we search for these utilities on major search engines, these fraudulent sites frequently appear at the very top of the organic search results. This indicates that the threat actor is actively leveraging SEO techniques to boost traffic to their landing pages.

    Spoofed software portals appearing in search engine results

    Spoofed software portals appearing in search engine results

    For example, here is how the fraudulent download portal for DNS Jumper looks:

    Fake website mimicking the official DNS Jumper resource

    Fake website mimicking the official DNS Jumper resource

    On this page, the download button directs users to the following address:

    hxxps://direct-download.giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j

    Just like the OBS Studio variant, this drops an archive onto the victim’s device with an identical structure: a renamed legitimate install.exe file, a sideloaded library, and an Assets directory containing the promised software packaged alongside ScreenConnect.

    Contents of the DNS Jumper and ScreenConnect archive

    Contents of the DNS Jumper and ScreenConnect archive

    Other fraudulent websites that appear in search engine results when querying the corresponding software are designed in a similar fashion.

    Spoofed websites used to distribute ScreenConnect

    Spoofed websites used to distribute ScreenConnect

    Notably, the vast majority of the fraudulent sites we uncovered are localized into English, Russian, and Chinese. In several instances, the pages were also translated into German, French, Spanish, Arabic, and other languages. This multi-language support underscores the global footprint of the campaign, targeting a broad user base across multiple regions.

    Language localization options on a ScreenConnect delivery site

    Language localization options on a ScreenConnect delivery site

    Fake domain infrastructure

    To distribute ScreenConnect disguised as freeware, the threat actor spun up an extensive network of domain names mapped across three IP addresses. We have categorized these into two distinct infrastructure clusters.

    Cluster 1: 162.216.241[.]242 and 198.23.185[.]81

    ```
    162.216.241[.]242
    Country: United States
    Org name: Dynu Systems Incorporated
    ```

    The connection graph below illustrates the campaign websites tied to IP address 162.216.241[.]242, which hosts the previously mentioned www[.]studioobs[.]com domain.

    URL connection graph for IP 162.216.241[.]242

    URL connection graph for IP 162.216.241[.]242

    Looking into the registration dates for the domains on this IP, we found that the threat actor initially attempted to disguise their sites as various gaming portals:

    Subsequently, starting in January 2026, they shifted strategy and began registering fake domains designed to mimic popular freeware:

    In this specific branch of the ScreenConnect campaign, the malicious archives are hosted on fileget.loseyourip[.]com. Notably, the download resource is hosted on a completely separate provider:

    ```
    198.23.185[.]81
    Country: United States
    Org name: NOHAVPS LLC
    ```

    Our analysis of this second IP address revealed that it also hosts additional resources tied to the campaign, including fake gaming sites and supplementary download links:

    URL connection graph for IP 198.23.185[.]81

    URL connection graph for IP 198.23.185[.]81

    Cluster 2: 2.59.134[.]97

    ```
    2.59.134[.]97
    Country: Germany
    Org name: dataforest GmbH
    ```

    Below is an infrastructure graph showing this IP address and its hosted domains. Notably, unlike the previous case, this address also hosts direct-download.giize[.]com, a resource used to store distributed malicious archives.

    URL connection graph for IP 2.59.134[.]97

    URL connection graph for IP 2.59.134[.]97

    In this branch of the campaign, the threat actor skipped game-themed lures entirely, focusing exclusively on creating fraudulent freeware sites that bundled ScreenConnect with the requested application. The domains hosted on IP address 2.59.134[.]97 were registered between October 2025 and March 2026.

    The chart below shows the volume of fraudulent websites created month by month:

    Breakdown of ScreenConnect delivery sites by theme, August 2025 through March 2026 (download)

    C2 infrastructure analysis

    In total, we identified dozens of different archives distributed across this campaign. All of them share a uniform file structure, containing the malicious install.res.1033.dll library and the ScreenConnect MSI package located at Assetsx86vcredist_x64.dll.

    In some instances, the ScreenConnect installation package also bundles a CAB archive.

    Contents of the CAB archive

    Contents of the CAB archive

    This archive contains a system.config XML file, which defines the connection address for the ScreenConnect C2 server:

    Contents of system.config

    Contents of system.config

    By analyzing these ScreenConnect installations, we uncovered additional C2 addresses, which are mapped out in the following graph:

    Connection graph of ScreenConnect C2 domains

    Connection graph of ScreenConnect C2 domains

    The next graph illustrates the AsyncRAT command-and-control infrastructure:

    AsyncRAT C2 server infrastructure

    AsyncRAT C2 server infrastructure

    Based on the registration dates of the C2 domains, we can determine that the campaign was launched in October 2025 and paused at the end of March. However, at the time of publication, many of the landing pages remain accessible via search engine results.

    Takeaways

    Investigating a single case of AsyncRAT delivered via ScreenConnect allowed us to uncover a massive, multi-domain, multi-language infrastructure designed to distribute a hidden installer for this software and further advance the attack. The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages. The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like Google and Bing.

    This attack chain targets both everyday consumers downloading free software from the internet and corporate networks, where remote access tools are frequently allowlisted and granted elevated privileges.

    The potential objective of the campaign is to steal credentials en masse and gain unauthorized access to systems for subsequent resale on dark web marketplaces.

    To mitigate the risks associated with this threat, we recommend implementing the following security measures:

    • Enforce strict software installation controls: application allowlisting and blocking MSI package execution from untrusted sources
    • Continuously monitor for the creation of new remote administration services and scheduler tasks
    • Filter outbound traffic to unknown domains and IP addresses
    • Regularly train users on safe downloading practices
    • Verify the authenticity of all software sources

    For enterprise users, credential monitoring is a critical mitigation strategy against the risks detailed in this article, as a leaked account or compromised system access frequently serves as a vector for subsequent attacks on the organization.  Kaspersky Digital Footprint Intelligence provides continuous data monitoring across open and dark web sources, enabling security teams to respond proactively to potential threats.

    Detection by Kaspersky solutions

    Kaspersky Managed Detection and Response detects the malicious activity described in this post using the following indicators of attack:

    1. ScreenConnect service creation with suspicious parameters
      logsource:                      
          product: windows         
          category: security
      detection:
          selection_access:
              EventID: 4697
              Service File Name|contains:
                  - 'e=Access'
                  - 'ClientService.exe'
          selection_support:
              EventID: 4697
              Service File Name|contains:
                  - 'e=Support'
                  - 'ClientService.exe'
          condition: selection_access or selection_support
    2. Anomalous child processes being spawned by the ScreenConnect service
      logsource:
          product: windows
          category: process_creation
      detection:
          selection:
              ParentImage|endswith:
                  - '\ScreenConnect.ClientService.exe'
                  - '\ScreenConnect.WindowsClient.exe'
                  - '\ScreenConnect.WindowsBackstageShell.exe'
                  - '\ScreenConnect.WindowsFileManager.exe'
              Image|endswith:
                  - '\powershell.exe'
                  - '\cmd.exe'
                  - '\net.exe'
                  - '\schtasks.exe'
                  - '\sc.exe'
                  - '\msiexec.exe'
                  - '\mshta.exe'
                  - '\rundll32.exe'
          condition: selection

    Additionally, Kaspersky products detect the malware covered in this post under the following verdicts:

    • Trojan.Win64.DLLhijack.*
    • Trojan.VBS.Agent.*
    • Trojan.PowerShell.Agent.bav
    • Trojan.JS.SAgent.sb

    Endpoint malicious activity can be monitored using Kaspersky EDR Expert. Specifically, security teams should look for the execution of commands and scripts containing suspicious patterns, such as XOR operations used for command and data obfuscation by malware operating on the host. This activity is flagged by the suspicious_assembly_loading_into_powershell_via_reflection_amsi and xored_powershell_command_amsi rules.

    Additionally, persistence mechanisms involving the creation, modification, or utilization of scheduled tasks via the schtasks.exe utility are caught by the scheduled_task_create_from_public_directory_via_schtasks rule.

    Malicious code injection into the RegAsm.exe process — leveraged by attackers to masquerade execution behind a trusted system component — is detected via the code_injection_to_unusual_process rule.

    To visualize the stages of the attack, security teams can utilize Kaspersky Cloud Sandbox on the Threat Intelligence portal. For instance, this tool allows defenders to map out the entire deployment and payload execution chain originating from the initial VBS dropper.

    Furthermore, the Kaspersky Threat Intelligence portal supports searching and graphing the connections between malicious domains and files involved in this campaign, as demonstrated in our adversary infrastructure analysis section.

    Finally, the Similarity engine within Kaspersky Threat Analysis profiles file contents to hunt down samples resembling the original threat, helping organizations identify new or previously undetected malicious objects.

    Indicators of compromise

    Loaders

    B32810973132D11AFD61CCEE222BBB79
    5B7E1FE55BD7B5EA54BD4ED1677E5A26
    9A9CCD8B0E5D05F4EE77667B024844DB
    0EEE9BAD07E22415439E854657FA1366
    8F4E8B680D3E8D3F5AC39BD72882F713

    Malicious library: install.res.1033.dll

    5F96C04E3AFAE97017B201BE112284D2
    73BEAD922109A61E5F9F85771A7812C5
    EDFF4F58722C93D7C09ED71899416396
    83601C3D4ED28E8D2BE1B99BEB8EC18C
    695E794631EF130583368770E7B81E98
    83601C3D4ED28E8D2BE1B99BEB8EC18C
    1E6A5C7B620D487D0CFC6874C3B77C90
    54025CE2A9405039899FE99A1D77E0BB
    BD05FCF80E493CF9AA71EC510319469D
    999A63730C9634481D1D76955A2E76A8
    479BD3BB617B39CD4A46D0768A2592D4
    776DFD3DF9C04BB9FCDD6C1880C3761A
    8E4C57358A66EB14D31ABB614DDC68DE
    A40D3AEB0DAE5B00BDB3A517F3135BBB
    A85A5BFDCB7C65AB93043B8CF9E20065
    01325880EFFFEC546F59490089A3B415

    AsyncRAT C2

    mora1987[.]work[.]gd

    Fake websites addresses

    ds4windows[.]io
    direct-download[.]giize[.]com
    tmodloader[.]org
    tmodloader[.]app
    ds4windows[.]net
    losslessscaling[.]app
    processhacker[.]dev
    steamtools[.]pro
    dnsjumper[.]app
    free-download[.]camdvr[.]org
    defendercontrol[.]org
    dns-jumper[.]com
    cpuz[.]app
    processhacker[.]org
    processhacker[.]app
    steamtools[.]cc
    cpuz[.]pro
    wallpaper-engine[.]app
    processhacker[.]net
    antimicrox[.]net
    defendercontrol[.]app
    tmodloader[.]pro
    dnsjumper[.]io
    bandicam[.]app
    mgba[.]app
    dnsjumper[.]pro
    ferdium[.]app
    ds4windows[.]pro
    lossless-scaling[.]online
    defender-control[.]com
    gom-player[.]app
    defendercontrol[.]pro
    lossless-scaling[.]download
    antimicrox[.]pro
    mgba[.]pro
    lossless-scaling[.]app
    losslessscaling[.]pro
    mgba[.]dev
    tmodloader[.]download
    tmod-loader[.]com
    defendercontrol[.]download
    ferdium[.]pro
    deadreset[.]com
    gom-player[.]net
    crosshairx[.]pro
    libreoffice[.]pro
    studioobs[.]com
    studio-obs[.]net
    crosshairxv2[.]com
    km-player[.]com
    corel-draw[.]net
    glary-utilities[.]com
    download-full-version[.]ooguy[.]com
    crosshair-x[.]com
    kms-tools[.]com
    studio-obs[.]com
    crosshairx[.]net
    clair-obscur-33[.]com
    vlc-player[.]net
    arksurvival-ascended[.]com
    elden-ringnightreign[.]com
    ready-ornot[.]com
    arma-reforger[.]com
    crusader-kings[.]com
    crosshairx2[.]com
    mediaplayerclassic[.]net
    bandizip[.]pro
    obs-studio[.]site
    ovr-advanced-settings[.]com
    studio-obs[.]pro
    vlc-media[.]com
    clair-obscur-33[.]town
    ovr-toolkit[.]com
    crusader-kings[.]church
    bandizip[.]net
    apexlegends[.]org
    obs-studio[.]pro
    vlc-media[.]net
    crosshairx[.]site
    monster-hunterwilds[.]com
    km-player[.]pro
    mediaplayerclassic[.]pro
    kms-tools[.]net
    fernbus-simulator[.]com
    studioobs[.]pro
    bandicam[.]cc
    crystaldiskmark[.]cc
    crystaldiskmark[.]io
    crystaldiskmark[.]dev
    crystaldiskmark[.]app
    crystaldiskmark[.]pro
    bandicam[.]io

    Fake domain infrastructure

    fileget.loseyourip[.]com
    file-download-crosshairx.giize[.]com
    all-toll-free.loseyourip[.]com
    mpc-update.giize[.]com
    all-toll-free.publicvm[.]com
    198.23.185[.]81
    direct-download.giize[.]com

    ScreenConnect C2

    servermanagemen[.]xyz
    185.254.97[.]249
    r.manage-server[.]xyz
    45.145.41[.]205
    winservec[.]net
    manageserver[.]xyz
    cloudsynn[.]com
    pingserv[.]pro
    ehostservers[.]xyz
    serverdnsplan[.]net
    pingpanl[.]pro
    managedevice[.]xyz
    edgeserv[.]ru