{"id":3959,"date":"2026-07-01T13:03:58","date_gmt":"2026-07-01T13:03:58","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/"},"modified":"2026-07-01T13:03:58","modified_gmt":"2026-07-01T13:03:58","slug":"the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/","title":{"rendered":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<h2 id=\"introduction\">Introduction<\/h2>\n<p>To access compromised systems, threat actors <a href=\"https:\/\/securelist.com\/global-report-security-services-2026\/119233\/\" target=\"_blank\" rel=\"noopener\">frequently abuse<\/a> legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, and move laterally across the network.<\/p>\n<p>During a recent investigation engagement, the <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=gl_sl_mdr-lnk_sm-team_195a10e9872df951\" target=\"_blank\" rel=\"noopener\">Kaspersky Managed Detection and Response<\/a> (MDR) team discovered the ScreenConnect remote access tool being leveraged to deploy and execute an AsyncRAT payload.<\/p>\n<p>A deep dive into this single incident unraveled a massive campaign distributing malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, Bandicam, and others. In total, we uncovered more than 90 domain names localized across 10 languages. The malicious archives bundle a legitimate, signed Microsoft <code>install.exe<\/code> binary alongside a rogue <code>install.res.1033.dll<\/code> library. It is loaded onto the device via DLL sideloading and deploys the ScreenConnect service, which awaits further instructions from the threat actors.<\/p>\n<p>As a result, what initially appeared to be an isolated ScreenConnect incident served as the starting point for a full investigation into the threat actor\u2019s C2 infrastructure. Every spoofed site we uncovered followed the exact same playbook: dropping a hidden ScreenConnect remote administration service under the guise of a legitimate software installer. This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations.<\/p>\n<p>We continue to break down complex, multi-stage incidents like this in our ongoing <a href=\"https:\/\/securelist.com\/tag\/the-soc-files\/\" target=\"_blank\" rel=\"noopener\">The SOC Files series<\/a>. In this post, we take a deep dive into the technical execution of the ScreenConnect attack and analyze the broader infrastructure under the threat actor\u2019s control.<\/p>\n<h2 id=\"initial-incident-investigation\">Initial incident investigation<\/h2>\n<p>The investigation was triggered by an alert from Kaspersky MDR, which flagged the creation and execution of suspicious PowerShell and VBS scripts spawned by a ScreenConnect process.<\/p>\n<details>\n<summary>About ScreenConnect<\/summary>\n<p><em>ScreenConnect is a legitimate remote management utility. Kaspersky solutions detect it as not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen.<\/em><\/p>\n<\/details>\n<p>ScreenConnect was running as an Access-type service\u00a0\u2014 enabling direct remote connectivity\u00a0\u2014 with the server explicitly passed via the command line:<\/p>\n<div id=\"attachment_120489\" style=\"width: 1379px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-120489\" class=\"size-full wp-image-120489\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1.png\" alt=\"ScreenConnect service execution event with suspicious parameters\" width=\"1369\" height=\"766\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1.png 1369w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-300x168.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-1024x573.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-768x430.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-270x150.png 270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-626x350.png 626w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-740x414.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-500x280.png 500w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211446\/soc-files-screenconnect1-800x448.png 800w\" sizes=\"(max-width: 1369px) 100vw, 1369px\"><\/a><\/p>\n<p id=\"caption-attachment-120489\" class=\"wp-caption-text\">ScreenConnect service execution event with suspicious parameters<\/p>\n<\/div>\n<p>Once running, ScreenConnect created and executed a PowerShell script named <code>Fj5NmEsp9EuKrun.ps1<\/code>:<\/p>\n<div id=\"attachment_120490\" style=\"width: 1378px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120490\" class=\"size-full wp-image-120490\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2.png\" alt=\"Malicious PowerShell script creation\" width=\"1368\" height=\"165\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2.png 1368w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2-300x36.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2-1024x124.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2-768x93.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2-740x89.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211520\/soc-files-screenconnect2-800x96.png 800w\" sizes=\"auto, (max-width: 1368px) 100vw, 1368px\"><\/a><\/p>\n<p id=\"caption-attachment-120490\" class=\"wp-caption-text\">Malicious PowerShell script creation<\/p>\n<\/div>\n<p>Below is an excerpt from the contents of the script:<\/p>\n<div id=\"attachment_120491\" style=\"width: 1265px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120491\" class=\"size-full wp-image-120491\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3.png\" alt=\"Snippet of Fj5NmEsp9EuKrun.ps1\" width=\"1255\" height=\"658\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3.png 1255w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-1024x537.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-768x403.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-668x350.png 668w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-740x388.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-534x280.png 534w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211554\/soc-files-screenconnect3-800x419.png 800w\" sizes=\"auto, (max-width: 1255px) 100vw, 1255px\"><\/a><\/p>\n<p id=\"caption-attachment-120491\" class=\"wp-caption-text\">Snippet of Fj5NmEsp9EuKrun.ps1<\/p>\n<\/div>\n<p>This script configures Microsoft Defender exclusions for the following objects:<\/p>\n<ul>\n<li>All disks in the system: C:, D:, and others<\/li>\n<li>All root directories on the C: drive, as well as the C:UsersPublic directory<\/li>\n<li><code>RegAsm.exe<\/code> process<\/li>\n<\/ul>\n<p>Additionally, the script disables User Account Control (UAC) prompts by setting the <code>ConsentPromptBehaviorAdmin<\/code> registry parameter to 0.<\/p>\n<p>Following this setup, the ScreenConnect service goes on to create a VBScript file:<\/p>\n<div id=\"attachment_120492\" style=\"width: 1378px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120492\" class=\"size-full wp-image-120492\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4.png\" alt=\"Malicious VBScript creation\" width=\"1368\" height=\"201\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4.png 1368w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4-300x44.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4-1024x150.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4-768x113.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4-740x109.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211632\/soc-files-screenconnect4-800x118.png 800w\" sizes=\"auto, (max-width: 1368px) 100vw, 1368px\"><\/a><\/p>\n<p id=\"caption-attachment-120492\" class=\"wp-caption-text\">Malicious VBScript creation<\/p>\n<\/div>\n<p>The <code>installer_method3_stream.vbs<\/code> script creates five files in the C:UsersPublic directory (<code>msgbox.txt<\/code>, <code>secret_bytes.txt<\/code>, <code>1.vb<\/code>, <code>cap.ps1<\/code>, and <code>script.vbs<\/code>) and immediately triggers their execution by launching <code>script.vbs<\/code>.<\/p>\n<div id=\"attachment_120493\" style=\"width: 649px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211705\/soc-files-screenconnect5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120493\" class=\"size-full wp-image-120493\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211705\/soc-files-screenconnect5.png\" alt=\"Contents of script.vbs\" width=\"639\" height=\"146\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211705\/soc-files-screenconnect5.png 639w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211705\/soc-files-screenconnect5-300x69.png 300w\" sizes=\"auto, (max-width: 639px) 100vw, 639px\"><\/a><\/p>\n<p id=\"caption-attachment-120493\" class=\"wp-caption-text\">Contents of script.vbs<\/p>\n<\/div>\n<p>This script terminates all active <code>powershell.exe<\/code> processes to cover its tracks and executes <code>cap.ps1<\/code> in a hidden window.<\/p>\n<div id=\"attachment_120494\" style=\"width: 1099px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120494\" class=\"size-full wp-image-120494\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6.png\" alt=\"Contents of cap.ps1\" width=\"1089\" height=\"325\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6.png 1089w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6-300x90.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6-1024x306.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6-768x229.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6-740x221.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6-938x280.png 938w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211738\/soc-files-screenconnect6-800x239.png 800w\" sizes=\"auto, (max-width: 1089px) 100vw, 1089px\"><\/a><\/p>\n<p id=\"caption-attachment-120494\" class=\"wp-caption-text\">Contents of cap.ps1<\/p>\n<\/div>\n<p><code>cap.ps1<\/code> reads the contents of the <code>secret_bytes.txt<\/code> file, extracts sequences matching the <code>[SXX-<\/code> pattern, and converts XX from hexadecimal representation to a byte. It then uses a <code>0xA7<\/code> XOR key to decrypt each byte and inverts the bit order. The resulting byte array yields a fully formed PE binary, which is then reflectively loaded into the CLR.<\/p>\n<p>Within the loaded assembly, the <code>ConsoleApp1.Module1<\/code> type contains a static method named <code>Run<\/code>. The script uses reflection (<code>Reflection.BindingFlags<\/code>) to resolve a reference to this method and invoke it.<\/p>\n<p>The <code>Run<\/code> method executes a process hollowing technique (<a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/012\/\" target=\"_blank\" rel=\"noopener\">T1055.012<\/a>), spawning a new RegAsm.exe process with the <code>CREATE_SUSPENDED<\/code> flag. The deobfuscated and decrypted PE image from <code>secret_bytes.txt<\/code> is then copied into its address space. As a result, the <code>RegAsm.exe<\/code> process no longer executes its original code, instead serving as a container for the injected .NET module\u00a0\u2014 which, in this case, is the AsyncRAT remote access Trojan.<\/p>\n<p>To establish persistence, the malware schedules a task named MasterPackager.Updater:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">\"schtasks\" \/Create \/TN \"MasterPackager.Updater\" \/TR \"wscript.exe \"C:UsersPublicscript.vbs\" \" \/SC MINUTE \/MO 2 \/F<\/pre>\n<p>This task triggers every two minutes, ensuring that <code>script.vbs<\/code>\u00a0\u2014 and consequently the entire loader chain\u00a0\u2014 executes even after a system reboot.<\/p>\n<p>Once the entire infection chain successfully executes, the <code>RegAsm.exe<\/code> process establishes a connection to the C2 domain <code>mora1987[.]work[.]gd<\/code>.<\/p>\n<div id=\"attachment_120495\" style=\"width: 1518px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120495\" class=\"size-full wp-image-120495\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7.png\" alt=\"AsyncRAT infection and persistence chain via ScreenConnect\" width=\"1508\" height=\"1534\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7.png 1508w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-295x300.png 295w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-1007x1024.png 1007w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-768x781.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-344x350.png 344w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-740x753.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-275x280.png 275w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-800x814.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30211926\/soc-files-screenconnect7-50x50.png 50w\" sizes=\"auto, (max-width: 1508px) 100vw, 1508px\"><\/a><\/p>\n<p id=\"caption-attachment-120495\" class=\"wp-caption-text\">AsyncRAT infection and persistence chain via ScreenConnect<\/p>\n<\/div>\n<h2 id=\"how-screenconnect-entered-the-system\">How ScreenConnect entered the system<\/h2>\n<p>A retrospective analysis of the incident allowed us to pinpoint the source of the ScreenConnect installation: a user-downloaded archive named <code>obs-studio-windows-x64.zip<\/code>.<\/p>\n<p>The archive was downloaded from <code>hxxps:\/\/www.studioobs[.]com\/<\/code>, a typosquatted domain mimicking the official site for OBS Studio, a popular open-source screen recording app. This site is present in search engine results; in this specific incident, the user landed on the malicious domain directly from a search query, a vector we analyze in more detail below.<\/p>\n<p>Clicking the download button for the supposedly legitimate software triggers a request to the following URL, from which the archive is fetched:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">hxxps:\/\/fileget.loseyourip[.]com\/obs-studio-windows-full\/gVOMs5VZ9BtlcaM<\/pre>\n<\/p>\n<div id=\"attachment_120496\" style=\"width: 1926px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120496\" class=\"size-full wp-image-120496\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8.png\" alt=\"Site used to deliver ScreenConnect\" width=\"1916\" height=\"887\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8.png 1916w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-300x139.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-1024x474.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-768x356.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-1536x711.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-756x350.png 756w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-740x343.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-605x280.png 605w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212025\/soc-files-screenconnect8-800x370.png 800w\" sizes=\"auto, (max-width: 1916px) 100vw, 1916px\"><\/a><\/p>\n<p id=\"caption-attachment-120496\" class=\"wp-caption-text\">Site used to deliver ScreenConnect<\/p>\n<\/div>\n<p>The archive contains a legitimate, Microsoft-signed executable named <code>install.exe<\/code> (87603EA025623B19954E460ADD532048), renamed to masquerade as the OBS Studio installer, along with a malicious library named <code>install.res.1033.dll<\/code>. Additionally, the archive includes an Assets folder containing both a copy of the actual software being impersonated and the ScreenConnect utility.<\/p>\n<div id=\"attachment_120497\" style=\"width: 245px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212216\/soc-files-screenconnect9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120497\" class=\"size-full wp-image-120497\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212216\/soc-files-screenconnect9.png\" alt=\"Contents of obs-studio-windows-x64.zip\" width=\"235\" height=\"161\"><\/a><\/p>\n<p id=\"caption-attachment-120497\" class=\"wp-caption-text\">Contents of obs-studio-windows-x64.zip<\/p>\n<\/div>\n<p>The complete file structure of the archive is organized as follows:<\/p>\n<div id=\"attachment_120498\" style=\"width: 455px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212255\/soc-files-screenconnect10.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120498\" class=\"size-full wp-image-120498\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212255\/soc-files-screenconnect10.png\" alt=\"Detailed directory tree of obs-studio-windows-x64.zip\" width=\"445\" height=\"635\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212255\/soc-files-screenconnect10.png 445w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212255\/soc-files-screenconnect10-210x300.png 210w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212255\/soc-files-screenconnect10-245x350.png 245w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212255\/soc-files-screenconnect10-196x280.png 196w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\"><\/a><\/p>\n<p id=\"caption-attachment-120498\" class=\"wp-caption-text\">Detailed directory tree of obs-studio-windows-x64.zip<\/p>\n<\/div>\n<p>When <code>OBS-Studio-Installer.exe<\/code> is executed, it loads <code>install.res.1033.dll<\/code> via DLL sideloading. This library contains the instructions required to install both ScreenConnect and OBS Studio. The deployment relies on native Windows utilities (<code>msiexec.exe<\/code>), but the attackers renamed the standard MSI packages to look like DLL files:<\/p>\n<ul>\n<li><code>Assetsx86Datavcredist_x64.dll<\/code>: ScreenConnect installer<\/li>\n<li><code>Assetsx86Datavcredist_x86.dll<\/code>: OBS Studio installer<\/li>\n<\/ul>\n<p>The contents of the <code>vcredist_x64.dll<\/code> MSI package are shown below:<\/p>\n<div id=\"attachment_120499\" style=\"width: 984px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120499\" class=\"size-full wp-image-120499\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11.png\" alt=\"ScreenConnect installation files\" width=\"974\" height=\"325\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11.png 974w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11-300x100.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11-768x256.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11-740x247.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11-839x280.png 839w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212338\/soc-files-screenconnect11-800x267.png 800w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\"><\/a><\/p>\n<p id=\"caption-attachment-120499\" class=\"wp-caption-text\">ScreenConnect installation files<\/p>\n<\/div>\n<p>The Windows Installer is launched to install ScreenConnect silently in the background without requiring a system reboot:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">msiexec.exe \/i \"C:TempOBS-Studio-Windows-x64Assetsx86vcredist_x64.dll\" \/qn \/norestart<\/pre>\n<p>Once the installation wraps up, a new service named Microsoft Update Service is created. The command line for this service explicitly defines the connection server as <code>r[.]servermanagemen[.]xyz<\/code>.<\/p>\n<p>Meanwhile, the MSI package for the actual OBS Studio software runs using a standard graphical user interface.<\/p>\n<div id=\"attachment_120500\" style=\"width: 1516px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120500\" class=\"size-full wp-image-120500\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12.png\" alt=\"ScreenConnect and OBS Studio installation workflow\" width=\"1506\" height=\"534\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12.png 1506w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-300x106.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-1024x363.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-768x272.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-987x350.png 987w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-740x262.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-790x280.png 790w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212440\/soc-files-screenconnect12-800x284.png 800w\" sizes=\"auto, (max-width: 1506px) 100vw, 1506px\"><\/a><\/p>\n<p id=\"caption-attachment-120500\" class=\"wp-caption-text\">ScreenConnect and OBS Studio installation workflow<\/p>\n<\/div>\n<h2 id=\"expanding-the-investigation\">Expanding the investigation<\/h2>\n<p>The attackers\u2019 reliance on the legitimate <code>install.exe<\/code> binary provided a crucial pivot point for our broader investigation. We discovered that this specific file was being deployed in the wild under a variety of suspicious aliases, including:<\/p>\n<ul>\n<li><code>ds4windows.exe<\/code><\/li>\n<li><code>crosshairx_installer.exe<\/code><\/li>\n<li><code>obs-studio-installer.exe<\/code><\/li>\n<li><code>dns jumper.exe<\/code><\/li>\n<li><code>glary utilities pro.exe<\/code><\/li>\n<li><code>processhacker-2.39-setup.exe<\/code><\/li>\n<\/ul>\n<p>These file names indicate that the threat actor was disguising their ScreenConnect archives as popular utilities beyond OBS Studio. Among the fakes, we identified counterfeit installers for DS4Windows, DNS Jumper, Glary Utilities, and Process Hacker. Crucially, when we search for these utilities on major search engines, these fraudulent sites frequently appear at the very top of the organic search results. This indicates that the threat actor is actively leveraging SEO techniques to boost traffic to their landing pages.\n<\/p>\n<div class=\"post-gallery-wrapper _post _post-5867\" data-id=\"5867\">\n<div class=\"post-gallery\">\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-1024x357.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-1024x357.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-300x104.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-768x267.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-1536x535.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-1005x350.png 1005w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-740x258.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-804x280.png 804w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13-800x279.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212551\/soc-files-screenconnect13.png 1976w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"333\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-1024x333.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-1024x333.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-300x98.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-768x250.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-1536x499.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-2048x666.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-1077x350.png 1077w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-740x241.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-861x280.png 861w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212622\/soc-files-screenconnect15-800x260.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"374\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-1024x374.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-1024x374.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-300x109.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-768x280.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-1536x560.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-2048x747.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-959x350.png 959w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-740x270.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-767x280.png 767w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212654\/soc-files-screenconnect17-800x292.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"282\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-1024x282.png\" class=\"attachment-large size-large\" alt=\"Spoofed software portals appearing in search engine results\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-1024x282.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-300x83.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-768x212.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-1536x423.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-1270x350.png 1270w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-740x204.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-1016x280.png 1016w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19-800x220.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212737\/soc-files-screenconnect19.png 2032w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<\/div>\n<\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: normal;margin-top: -10px\"><em>Spoofed software portals appearing in search engine results<\/em><\/p>\n<p>For example, here is how the fraudulent download portal for DNS Jumper looks:<\/p>\n<div id=\"attachment_120505\" style=\"width: 1910px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120505\" class=\"size-full wp-image-120505\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21.png\" alt=\"Fake website mimicking the official DNS Jumper resource\" width=\"1900\" height=\"882\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21.png 1900w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-300x139.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-1024x475.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-768x357.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-1536x713.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-754x350.png 754w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-740x344.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-603x280.png 603w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212816\/soc-files-screenconnect21-800x371.png 800w\" sizes=\"auto, (max-width: 1900px) 100vw, 1900px\"><\/a><\/p>\n<p id=\"caption-attachment-120505\" class=\"wp-caption-text\">Fake website mimicking the official DNS Jumper resource<\/p>\n<\/div>\n<p>On this page, the download button directs users to the following address:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">hxxps:\/\/direct-download.giize[.]com\/dns-jumper\/iopbsr4hymbo7nfa1q7j<\/pre>\n<\/p>\n<p>Just like the OBS Studio variant, this drops an archive onto the victim\u2019s device with an identical structure: a renamed legitimate <code>install.exe<\/code> file, a sideloaded library, and an Assets directory containing the promised software packaged alongside ScreenConnect.<\/p>\n<div id=\"attachment_120506\" style=\"width: 260px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212856\/soc-files-screenconnect22.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120506\" class=\"size-full wp-image-120506\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212856\/soc-files-screenconnect22.png\" alt=\"Contents of the DNS Jumper and ScreenConnect archive\" width=\"250\" height=\"174\"><\/a><\/p>\n<p id=\"caption-attachment-120506\" class=\"wp-caption-text\">Contents of the DNS Jumper and ScreenConnect archive<\/p>\n<\/div>\n<p>Other fraudulent websites that appear in search engine results when querying the corresponding software are designed in a similar fashion.\n<\/p>\n<div class=\"post-gallery-wrapper _post _post-5598\" data-id=\"5598\">\n<div class=\"post-gallery\">\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"519\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-1024x519.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-1024x519.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-300x152.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-768x390.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-1536x779.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-2048x1039.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-690x350.png 690w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-740x375.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-552x280.png 552w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30212933\/soc-files-screenconnect23-800x406.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"503\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-1024x503.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-1024x503.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-300x147.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-768x377.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-1536x754.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-2048x1006.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-713x350.png 713w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-740x363.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-570x280.png 570w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213014\/soc-files-screenconnect25-800x393.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-1024x535.png\" class=\"attachment-large size-large\" alt=\"\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-1024x535.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-300x157.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-768x402.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-1536x803.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-2048x1071.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-669x350.png 669w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-740x387.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-536x280.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213045\/soc-files-screenconnect27-800x418.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<div class=\"post-gallery__item\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"521\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-1024x521.png\" class=\"attachment-large size-large\" alt=\"Spoofed websites used to distribute ScreenConnect\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-1024x521.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-300x153.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-768x391.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-1536x782.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-2048x1043.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-687x350.png 687w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-740x377.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-550x280.png 550w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213117\/soc-files-screenconnect29-800x407.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/div>\n<\/div>\n<\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: normal;margin-top: -10px\"><em>Spoofed websites used to distribute ScreenConnect<\/em><\/p>\n<p>Notably, the vast majority of the fraudulent sites we uncovered are localized into English, Russian, and Chinese. In several instances, the pages were also translated into German, French, Spanish, Arabic, and other languages. This multi-language support underscores the global footprint of the campaign, targeting a broad user base across multiple regions.<\/p>\n<div id=\"attachment_120511\" style=\"width: 252px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213151\/soc-files-screenconnect31.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120511\" class=\"size-full wp-image-120511\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213151\/soc-files-screenconnect31.png\" alt=\"Language localization options on a ScreenConnect delivery site\" width=\"242\" height=\"478\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213151\/soc-files-screenconnect31.png 242w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213151\/soc-files-screenconnect31-152x300.png 152w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213151\/soc-files-screenconnect31-177x350.png 177w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213151\/soc-files-screenconnect31-142x280.png 142w\" sizes=\"auto, (max-width: 242px) 100vw, 242px\"><\/a><\/p>\n<p id=\"caption-attachment-120511\" class=\"wp-caption-text\">Language localization options on a ScreenConnect delivery site<\/p>\n<\/div>\n<h2 id=\"fake-domain-infrastructure\">Fake domain infrastructure<\/h2>\n<p>To distribute ScreenConnect disguised as freeware, the threat actor spun up an extensive network of domain names mapped across three IP addresses. We have categorized these into two distinct infrastructure clusters.<\/p>\n<h3 id=\"cluster-1-162-216-241-242-and-198-23-185-81\">Cluster 1: 162.216.241[.]242 and 198.23.185[.]81<\/h3>\n<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">```\r\n162.216.241[.]242\r\nCountry: United States\r\nOrg name: Dynu Systems Incorporated\r\n```<\/pre>\n<p>The connection graph below illustrates the campaign websites tied to IP address <code>162.216.241[.]242<\/code>, which hosts the previously mentioned <code>www[.]studioobs[.]com<\/code> domain.<\/p>\n<\/p>\n<div id=\"attachment_120512\" style=\"width: 2510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120512\" class=\"size-full wp-image-120512\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32.png\" alt=\"URL connection graph for IP 162.216.241[.]242\" width=\"2500\" height=\"1488\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32.png 2500w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-300x179.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-1024x609.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-768x457.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-1536x914.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-2048x1219.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-588x350.png 588w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-740x440.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-470x280.png 470w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213303\/soc-files-screenconnect32-800x476.png 800w\" sizes=\"auto, (max-width: 2500px) 100vw, 2500px\"><\/a><\/p>\n<p id=\"caption-attachment-120512\" class=\"wp-caption-text\">URL connection graph for IP 162.216.241[.]242<\/p>\n<\/div>\n<p>\nLooking into the registration dates for the domains on this IP, we found that the threat actor initially attempted to disguise their sites as various gaming portals:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120513\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34.png\" alt=\"\" width=\"1300\" height=\"450\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34.png 1300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-300x104.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-1024x354.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-768x266.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-1011x350.png 1011w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-740x256.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-809x280.png 809w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213347\/soc-files-screenconnect34-800x277.png 800w\" sizes=\"auto, (max-width: 1300px) 100vw, 1300px\"><\/a><\/p>\n<p>Subsequently, starting in January 2026, they shifted strategy and began registering fake domains designed to mimic popular freeware:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120514\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35.png\" alt=\"\" width=\"1300\" height=\"594\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35.png 1300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-300x137.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-1024x468.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-768x351.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-766x350.png 766w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-740x338.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-613x280.png 613w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213416\/soc-files-screenconnect35-800x366.png 800w\" sizes=\"auto, (max-width: 1300px) 100vw, 1300px\"><\/a><\/p>\n<p>In this specific branch of the ScreenConnect campaign, the malicious archives are hosted on <code>fileget.loseyourip[.]com<\/code>. Notably, the download resource is hosted on a completely separate provider:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">```\r\n198.23.185[.]81\r\nCountry: United States\r\nOrg name: NOHAVPS LLC\r\n```<\/pre>\n<p>Our analysis of this second IP address revealed that it also hosts additional resources tied to the campaign, including fake gaming sites and supplementary download links:<\/p>\n<div id=\"attachment_120515\" style=\"width: 1391px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120515\" class=\"size-full wp-image-120515\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36.png\" alt=\"URL connection graph for IP 198.23.185[.]81\" width=\"1381\" height=\"748\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36.png 1381w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-300x162.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-1024x555.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-768x416.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-646x350.png 646w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-740x401.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-517x280.png 517w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213516\/soc-files-screenconnect36-800x433.png 800w\" sizes=\"auto, (max-width: 1381px) 100vw, 1381px\"><\/a><\/p>\n<p id=\"caption-attachment-120515\" class=\"wp-caption-text\">URL connection graph for IP 198.23.185[.]81<\/p>\n<\/div>\n<h3 id=\"cluster-2-2-59-134-97\">Cluster 2: 2.59.134[.]97<\/h3>\n<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">```\r\n2.59.134[.]97\r\nCountry: Germany\r\nOrg name: dataforest GmbH\r\n```<\/pre>\n<p>Below is an infrastructure graph showing this IP address and its hosted domains. Notably, unlike the previous case, this address also hosts <code>direct-download.giize[.]com<\/code>, a resource used to store distributed malicious archives.<\/p>\n<\/p>\n<div id=\"attachment_120516\" style=\"width: 2510px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120516\" class=\"size-full wp-image-120516\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37.png\" alt=\"URL connection graph for IP 2.59.134[.]97\" width=\"2500\" height=\"1294\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37.png 2500w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-300x155.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-1024x530.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-768x398.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-1536x795.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-2048x1060.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-676x350.png 676w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-740x383.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-541x280.png 541w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213623\/soc-files-screenconnect37-800x414.png 800w\" sizes=\"auto, (max-width: 2500px) 100vw, 2500px\"><\/a><\/p>\n<p id=\"caption-attachment-120516\" class=\"wp-caption-text\">URL connection graph for IP 2.59.134[.]97<\/p>\n<\/div>\n<p>In this branch of the campaign, the threat actor skipped game-themed lures entirely, focusing exclusively on creating fraudulent freeware sites that bundled ScreenConnect with the requested application. The domains hosted on IP address <code>2.59.134[.]97<\/code> were registered between October 2025 and March 2026.<\/p>\n<p>The chart below shows the volume of fraudulent websites created month by month:<\/p>\n<div class=\"js-infogram-embed\" data-id=\"_\/SRWjBBluQbz4nBdzNXwk\" data-type=\"interactive\" data-title=\"01 EN ScreenConnect graphics\" style=\"min-height:;\"><\/div>\n<p style=\"text-align: center;font-style: italic;font-weight: normal;margin-top: -10px\"><em>Breakdown of ScreenConnect delivery sites by theme, August 2025 through March 2026 (<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213710\/soc-files-screenconnect39.png\" target=\"_blank\" rel=\"noopener\">download<\/a>)<\/em><\/p>\n<h2 id=\"c2-infrastructure-analysis\">C2 infrastructure analysis<\/h2>\n<p>In total, we identified dozens of different archives distributed across this campaign. All of them share a uniform file structure, containing the malicious <code>install.res.1033.dll<\/code> library and the ScreenConnect MSI package located at <code>Assetsx86vcredist_x64.dll<\/code>.<\/p>\n<p>In some instances, the ScreenConnect installation package also bundles a CAB archive.<\/p>\n<div id=\"attachment_120518\" style=\"width: 854px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120518\" class=\"size-full wp-image-120518\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40.png\" alt=\"Contents of the CAB archive\" width=\"844\" height=\"542\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40.png 844w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40-300x193.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40-768x493.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40-545x350.png 545w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40-740x475.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40-436x280.png 436w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30213903\/soc-files-screenconnect40-800x514.png 800w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\"><\/a><\/p>\n<p id=\"caption-attachment-120518\" class=\"wp-caption-text\">Contents of the CAB archive<\/p>\n<\/div>\n<p>This archive contains a <code>system.config<\/code> XML file, which defines the connection address for the ScreenConnect C2 server:<\/p>\n<div id=\"attachment_120519\" style=\"width: 854px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120519\" class=\"size-full wp-image-120519\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41.png\" alt=\"Contents of system.config\" width=\"844\" height=\"223\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41.png 844w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41-300x79.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41-768x203.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41-740x196.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214021\/soc-files-screenconnect41-800x211.png 800w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\"><\/a><\/p>\n<p id=\"caption-attachment-120519\" class=\"wp-caption-text\">Contents of system.config<\/p>\n<\/div>\n<p>By analyzing these ScreenConnect installations, we uncovered additional C2 addresses, which are mapped out in the following graph:<\/p>\n<div id=\"attachment_120520\" style=\"width: 1433px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120520\" class=\"size-full wp-image-120520\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42.png\" alt=\"Connection graph of ScreenConnect C2 domains\" width=\"1423\" height=\"637\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42.png 1423w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-300x134.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-1024x458.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-768x344.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-782x350.png 782w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-740x331.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-625x280.png 625w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214120\/soc-files-screenconnect42-800x358.png 800w\" sizes=\"auto, (max-width: 1423px) 100vw, 1423px\"><\/a><\/p>\n<p id=\"caption-attachment-120520\" class=\"wp-caption-text\">Connection graph of ScreenConnect C2 domains<\/p>\n<\/div>\n<p>The next graph illustrates the AsyncRAT command-and-control infrastructure:<\/p>\n<div id=\"attachment_120521\" style=\"width: 1520px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120521\" class=\"size-full wp-image-120521\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43.png\" alt=\"AsyncRAT C2 server infrastructure\" width=\"1510\" height=\"643\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43.png 1510w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-300x128.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-1024x436.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-768x327.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-822x350.png 822w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-740x315.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-658x280.png 658w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214220\/soc-files-screenconnect43-800x341.png 800w\" sizes=\"auto, (max-width: 1510px) 100vw, 1510px\"><\/a><\/p>\n<p id=\"caption-attachment-120521\" class=\"wp-caption-text\">AsyncRAT C2 server infrastructure<\/p>\n<\/div>\n<p>Based on the registration dates of the C2 domains, we can determine that the campaign was launched in October 2025 and paused at the end of March. However, at the time of publication, many of the landing pages remain accessible via search engine results.<\/p>\n<h2 id=\"takeaways\">Takeaways<\/h2>\n<p>Investigating a single case of AsyncRAT delivered via ScreenConnect allowed us to uncover a massive, multi-domain, multi-language infrastructure designed to distribute a hidden installer for this software and further advance the attack. The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages. The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like Google and Bing.<\/p>\n<p>This attack chain targets both everyday consumers downloading free software from the internet and corporate networks, where remote access tools are frequently allowlisted and granted elevated privileges.<\/p>\n<p>The potential objective of the campaign is to steal credentials en masse and gain unauthorized access to systems for subsequent resale on dark web marketplaces.<\/p>\n<p>To mitigate the risks associated with this threat, we recommend implementing the following security measures:<\/p>\n<ul>\n<li>Enforce strict software installation controls: application allowlisting and blocking MSI package execution from untrusted sources<\/li>\n<li>Continuously monitor for the creation of new remote administration services and scheduler tasks<\/li>\n<li>Filter outbound traffic to unknown domains and IP addresses<\/li>\n<li>Regularly<a href=\"https:\/\/www.kaspersky.com\/go\/kasap-en?icid=gl_sl_post-kasap-lnk_sm-team_31941f6708a4db08\" target=\"_blank\" rel=\"noopener\"> train users<\/a> on safe downloading practices<\/li>\n<li>Verify the authenticity of all software sources<\/li>\n<\/ul>\n<p>For enterprise users, credential monitoring is a critical mitigation strategy against the risks detailed in this article, as a leaked account or compromised system access frequently serves as a vector for subsequent attacks on the organization. \u00a0<a href=\"https:\/\/dfi.kaspersky.com\/?icid=gl_sl_dfi-lnk_sm-team_99639c2452ebbd18\" target=\"_blank\" rel=\"noopener\">Kaspersky Digital Footprint Intelligence<\/a> provides continuous data monitoring across open and dark web sources, enabling security teams to respond proactively to potential threats.<\/p>\n<h2 id=\"detection-by-kaspersky-solutions\">Detection by Kaspersky solutions<\/h2>\n<p><a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=gl_sl_mdr-lnk_sm-team_195a10e9872df951\" target=\"_blank\" rel=\"noopener\">Kaspersky Managed Detection and Response<\/a> detects the malicious activity described in this post using the following indicators of attack:<\/p>\n<ol>\n<li>ScreenConnect service creation with suspicious parameters\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">logsource:                      \r\n    product: windows         \r\n    category: security\r\ndetection:\r\n    selection_access:\r\n        EventID: 4697\r\n        Service File Name|contains:\r\n            - 'e=Access'\r\n            - 'ClientService.exe'\r\n    selection_support:\r\n        EventID: 4697\r\n        Service File Name|contains:\r\n            - 'e=Support'\r\n            - 'ClientService.exe'\r\n    condition: selection_access or selection_support<\/pre>\n<\/li>\n<li>Anomalous child processes being spawned by the ScreenConnect service\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">logsource:\r\n    product: windows\r\n    category: process_creation\r\ndetection:\r\n    selection:\r\n        ParentImage|endswith:\r\n            - '\\ScreenConnect.ClientService.exe'\r\n            - '\\ScreenConnect.WindowsClient.exe'\r\n            - '\\ScreenConnect.WindowsBackstageShell.exe'\r\n            - '\\ScreenConnect.WindowsFileManager.exe'\r\n        Image|endswith:\r\n            - '\\powershell.exe'\r\n            - '\\cmd.exe'\r\n            - '\\net.exe'\r\n            - '\\schtasks.exe'\r\n            - '\\sc.exe'\r\n            - '\\msiexec.exe'\r\n            - '\\mshta.exe'\r\n            - '\\rundll32.exe'\r\n    condition: selection<\/pre>\n<\/li>\n<\/ol>\n<p>Additionally, Kaspersky products detect the malware covered in this post under the following verdicts:<\/p>\n<ul>\n<li>Trojan.Win64.DLLhijack.*<\/li>\n<li>Trojan.VBS.Agent.*<\/li>\n<li>Trojan.PowerShell.Agent.bav<\/li>\n<li>Trojan.JS.SAgent.sb<\/li>\n<\/ul>\n<p>Endpoint malicious activity can be monitored using <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=gl_sl_post-kedr-expert_sm-team_29dc1130f3f612f2\" target=\"_blank\" rel=\"noopener\">Kaspersky EDR Expert<\/a>. Specifically, security teams should look for the execution of commands and scripts containing suspicious patterns, such as XOR operations used for command and data obfuscation by malware operating on the host. This activity is flagged by the <a href=\"https:\/\/tip.kaspersky.com\/landscape\/hunts\/386240d5-9795-4b74-82fa-48c91c4332d6?icid=gl_sl_tip-rule-lnk_sm-team_ee84a77d9cb2a726\" target=\"_blank\" rel=\"noopener\">suspicious_assembly_loading_into_powershell_via_reflection_amsi<\/a> and <a href=\"https:\/\/tip.kaspersky.com\/landscape\/hunts\/65014132-dd3b-4a2e-abbf-9d26c4357e7c?icid=gl_sl_tip-rule-lnk_sm-team_9061a1c6dc8ec18e\" target=\"_blank\" rel=\"noopener\">xored_powershell_command_amsi<\/a> rules.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120522\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44.png\" alt=\"\" width=\"1654\" height=\"782\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44.png 1654w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-300x142.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-1024x484.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-768x363.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-1536x726.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-740x350.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-592x280.png 592w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214642\/soc-files-screenconnect44-800x378.png 800w\" sizes=\"auto, (max-width: 1654px) 100vw, 1654px\"><\/a><\/p>\n<p>Additionally, persistence mechanisms involving the creation, modification, or utilization of scheduled tasks via the <code>schtasks.exe<\/code> utility are caught by the <a href=\"https:\/\/tip.kaspersky.com\/landscape\/hunts\/86888af0-8f7f-4537-a3c8-45fa235ff11c?icid=gl_sl_tip-rule-lnk_sm-team_73520d105fc2c87e\" target=\"_blank\" rel=\"noopener\">scheduled_task_create_from_public_directory_via_schtasks<\/a> rule.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120523\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45.png\" alt=\"\" width=\"1652\" height=\"853\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45.png 1652w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-300x155.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-1024x529.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-768x397.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-1536x793.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-678x350.png 678w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-740x382.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-542x280.png 542w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214714\/soc-files-screenconnect45-800x413.png 800w\" sizes=\"auto, (max-width: 1652px) 100vw, 1652px\"><\/a><\/p>\n<p>Malicious code injection into the <code>RegAsm.exe<\/code> process\u00a0\u2014 leveraged by attackers to masquerade execution behind a trusted system component\u00a0\u2014 is detected via the <a href=\"https:\/\/tip.kaspersky.com\/landscape\/hunts\/f6798e4d-b911-3754-f7aa-b4f5af4b3d18?icid=gl_sl_tip-rule-lnk_sm-team_af0738664cd6b4cd\" target=\"_blank\" rel=\"noopener\">code_injection_to_unusual_process<\/a> rule.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120524\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46.png\" alt=\"\" width=\"1654\" height=\"738\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46.png 1654w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-300x134.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-1024x457.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-768x343.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-1536x685.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-784x350.png 784w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-740x330.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-628x280.png 628w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214752\/soc-files-screenconnect46-800x357.png 800w\" sizes=\"auto, (max-width: 1654px) 100vw, 1654px\"><\/a><\/p>\n<p>To visualize the stages of the attack, security teams can utilize <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-analysis?icid=gl_sl_threat-analysis-lnk_sm-team_ac4d6b2bf27709dd\" target=\"_blank\" rel=\"noopener\">Kaspersky Cloud Sandbox<\/a> on the <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/threat-intelligence?icid=gl_sl_post-ti_sm-team_338ad9481e2ccc25\" target=\"_blank\" rel=\"noopener\">Threat Intelligence<\/a> portal. For instance, this tool allows defenders to map out the entire deployment and payload execution chain originating from the initial VBS dropper.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120525\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47.png\" alt=\"\" width=\"1167\" height=\"616\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47.png 1167w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-300x158.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-1024x541.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-768x405.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-663x350.png 663w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-740x391.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-530x280.png 530w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214830\/soc-files-screenconnect47-800x422.png 800w\" sizes=\"auto, (max-width: 1167px) 100vw, 1167px\"><\/a><\/p>\n<p>Furthermore, the Kaspersky Threat Intelligence portal supports searching and graphing the connections between malicious domains and files involved in this campaign, as demonstrated in our <a href=\"https:\/\/securelist.com\/tr\/the-soc-files-screenconnect-campaign-with-asyncrat\/120472\/#fake-domain-infrastructure\">adversary infrastructure analysis section<\/a>.<\/p>\n<p>Finally, the Similarity engine within Kaspersky Threat Analysis profiles file contents to hunt down samples resembling the original threat, helping organizations identify new or previously undetected malicious objects.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-120526\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48.png\" alt=\"\" width=\"1657\" height=\"832\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48.png 1657w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-300x151.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-1024x514.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-768x386.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-1536x771.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-697x350.png 697w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-740x372.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-558x280.png 558w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/30214905\/soc-files-screenconnect48-800x402.png 800w\" sizes=\"auto, (max-width: 1657px) 100vw, 1657px\"><\/a><\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<h3 id=\"loaders\">Loaders<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/b32810973132d11afd61ccee222bbb79\/results?icid=gl_sl_tr-post-opentip_sm-team_3c257a3056392811&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">B32810973132D11AFD61CCEE222BBB79<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5b7e1fe55bd7b5ea54bd4ed1677e5a26\/results?icid=gl_sl_tr-post-opentip_sm-team_9fb1d1d79cd06c80&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5B7E1FE55BD7B5EA54BD4ED1677E5A26<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9a9ccd8b0e5d05f4ee77667b024844db\/results?icid=gl_sl_tr-post-opentip_sm-team_b14c2f659639c05a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9A9CCD8B0E5D05F4EE77667B024844DB<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/0eee9bad07e22415439e854657fa1366\/results?icid=gl_sl_tr-post-opentip_sm-team_3c86c79b0aa7c325&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">0EEE9BAD07E22415439E854657FA1366<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8f4e8b680d3e8d3f5ac39bd72882f713\/results?icid=gl_sl_tr-post-opentip_sm-team_7b8adf9251c64f62&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8F4E8B680D3E8D3F5AC39BD72882F713<\/a><\/p>\n<h3 id=\"malicious-library-install-res-1033-dll\">Malicious library: install.res.1033.dll<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/5f96c04e3afae97017b201be112284d2\/results?icid=gl_sl_tr-post-opentip_sm-team_97c7468083a06f9a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5F96C04E3AFAE97017B201BE112284D2<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/73bead922109a61e5f9f85771a7812c5\/results?icid=gl_sl_tr-post-opentip_sm-team_074da6550f6015fc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">73BEAD922109A61E5F9F85771A7812C5<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/edff4f58722c93d7c09ed71899416396\/results?icid=gl_sl_tr-post-opentip_sm-team_c67ae8ee14507b90&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">EDFF4F58722C93D7C09ED71899416396<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/83601c3d4ed28e8d2be1b99beb8ec18c\/results?icid=gl_sl_tr-post-opentip_sm-team_6a8a74ef0604fa08&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">83601C3D4ED28E8D2BE1B99BEB8EC18C<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/695e794631ef130583368770e7b81e98\/results?icid=gl_sl_tr-post-opentip_sm-team_136782e7502f1c7d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">695E794631EF130583368770E7B81E98<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/83601c3d4ed28e8d2be1b99beb8ec18c\/results?icid=gl_sl_tr-post-opentip_sm-team_6a8a74ef0604fa08&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">83601C3D4ED28E8D2BE1B99BEB8EC18C<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1e6a5c7b620d487d0cfc6874c3b77c90\/results?icid=gl_sl_tr-post-opentip_sm-team_862c89151b82267f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1E6A5C7B620D487D0CFC6874C3B77C90<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/54025ce2a9405039899fe99a1d77e0bb\/results?icid=gl_sl_tr-post-opentip_sm-team_30c245554658c595&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">54025CE2A9405039899FE99A1D77E0BB<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bd05fcf80e493cf9aa71ec510319469d\/results?icid=gl_sl_tr-post-opentip_sm-team_956d4e4bd6d2d31c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">BD05FCF80E493CF9AA71EC510319469D<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/999a63730c9634481d1d76955a2e76a8\/results?icid=gl_sl_tr-post-opentip_sm-team_3c7408c8b55d5627&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">999A63730C9634481D1D76955A2E76A8<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/479bd3bb617b39cd4a46d0768a2592d4\/results?icid=gl_sl_tr-post-opentip_sm-team_d75aac414d2735be&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">479BD3BB617B39CD4A46D0768A2592D4<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/776dfd3df9c04bb9fcdd6c1880c3761a\/results?icid=gl_sl_tr-post-opentip_sm-team_928909375d7d6498&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">776DFD3DF9C04BB9FCDD6C1880C3761A<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8e4c57358a66eb14d31abb614ddc68de\/results?icid=gl_sl_tr-post-opentip_sm-team_0177def2c3f5255a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8E4C57358A66EB14D31ABB614DDC68DE<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a40d3aeb0dae5b00bdb3a517f3135bbb\/results?icid=gl_sl_tr-post-opentip_sm-team_a496314b855b055d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">A40D3AEB0DAE5B00BDB3A517F3135BBB<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a85a5bfdcb7c65ab93043b8cf9e20065\/results?icid=gl_sl_tr-post-opentip_sm-team_92ae4c8439f4f2d4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">A85A5BFDCB7C65AB93043B8CF9E20065<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/01325880efffec546f59490089a3b415\/results?icid=gl_sl_tr-post-opentip_sm-team_1f69fb8a7c53840f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">01325880EFFFEC546F59490089A3B415<\/a><\/p>\n<h3 id=\"asyncrat-c2\">AsyncRAT C2<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/mora1987.work.gd\/?icid=gl_sl_tr-post-opentip_sm-team_3ae4ab8169284a33&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mora1987[.]work[.]gd<\/a><\/p>\n<h3 id=\"fake-websites-addresses\">Fake websites addresses<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/ds4windows.io\/?icid=gl_sl_tr-post-opentip_sm-team_2482ea0948e5da85&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ds4windows[.]io<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/direct-download.giize.com\/?icid=gl_sl_tr-post-opentip_sm-team_d5c6d16517e5cf03&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">direct-download[.]giize[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/tmodloader.org\/?icid=gl_sl_tr-post-opentip_sm-team_cc9e7ee658478810&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">tmodloader[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/tmodloader.app\/?icid=gl_sl_tr-post-opentip_sm-team_04e42edc06a2ae56&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">tmodloader[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ds4windows.net\/?icid=gl_sl_tr-post-opentip_sm-team_385b8054c717bfac&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ds4windows[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/losslessscaling.app\/?icid=gl_sl_tr-post-opentip_sm-team_614d51a60becb019&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">losslessscaling[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/processhacker.dev\/?icid=gl_sl_tr-post-opentip_sm-team_e6d7323988eb883f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">processhacker[.]dev<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/steamtools.pro\/?icid=gl_sl_tr-post-opentip_sm-team_1d3e18c517519b9a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">steamtools[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dnsjumper.app\/?icid=gl_sl_tr-post-opentip_sm-team_287b7a9d6cb97832&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">dnsjumper[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/free-download.camdvr.org\/?icid=gl_sl_tr-post-opentip_sm-team_2ea26375a4cfefa0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">free-download[.]camdvr[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/defendercontrol.org\/?icid=gl_sl_tr-post-opentip_sm-team_286af1add519e4b0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">defendercontrol[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dns-jumper.com\/?icid=gl_sl_tr-post-opentip_sm-team_afbb4f2bda79e3bf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">dns-jumper[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/cpuz.app\/?icid=gl_sl_tr-post-opentip_sm-team_7a063975b5df93b7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cpuz[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/processhacker.org\/?icid=gl_sl_tr-post-opentip_sm-team_3bce954c2908c669&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">processhacker[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/processhacker.app\/?icid=gl_sl_tr-post-opentip_sm-team_d5b12fa47266feeb&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">processhacker[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/steamtools.cc\/?icid=gl_sl_tr-post-opentip_sm-team_2841b9c67ffafe4e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">steamtools[.]cc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/cpuz.pro\/?icid=gl_sl_tr-post-opentip_sm-team_6b4680c3ed737856&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cpuz[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/wallpaper-engine.app\/?icid=gl_sl_tr-post-opentip_sm-team_60d8256c12fdf0f9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">wallpaper-engine[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/processhacker.net\/?icid=gl_sl_tr-post-opentip_sm-team_fe90a122d91c60c2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">processhacker[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/antimicrox.net\/?icid=gl_sl_tr-post-opentip_sm-team_91a191808ba451c9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">antimicrox[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/defendercontrol.app\/?icid=gl_sl_tr-post-opentip_sm-team_643e9d40f1aa6e98&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">defendercontrol[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/tmodloader.pro\/?icid=gl_sl_tr-post-opentip_sm-team_811ba9f950849449&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">tmodloader[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dnsjumper.io\/?icid=gl_sl_tr-post-opentip_sm-team_b9c69dee13de3f96&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">dnsjumper[.]io<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bandicam.app\/?icid=gl_sl_tr-post-opentip_sm-team_e7048b2f58f5c94f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bandicam[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mgba.app\/?icid=gl_sl_tr-post-opentip_sm-team_c86ad3d8a2cacf3e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mgba[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dnsjumper.pro\/?icid=gl_sl_tr-post-opentip_sm-team_402fe70935efbefc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">dnsjumper[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ferdium.app\/?icid=gl_sl_tr-post-opentip_sm-team_aade73444e350c12&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ferdium[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ds4windows.pro\/?icid=gl_sl_tr-post-opentip_sm-team_8d005553a6cd4fcb&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ds4windows[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/lossless-scaling.online\/?icid=gl_sl_tr-post-opentip_sm-team_5f82ea3919f9547c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">lossless-scaling[.]online<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/defender-control.com\/?icid=gl_sl_tr-post-opentip_sm-team_071e1a44d9a6fa67&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">defender-control[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gom-player.app\/?icid=gl_sl_tr-post-opentip_sm-team_6d78411ee4e90800&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gom-player[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/defendercontrol.pro\/?icid=gl_sl_tr-post-opentip_sm-team_dc1a9835a2e7aca5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">defendercontrol[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/lossless-scaling.download\/?icid=gl_sl_tr-post-opentip_sm-team_9050bafc7dc87775&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">lossless-scaling[.]download<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/antimicrox.pro\/?icid=gl_sl_tr-post-opentip_sm-team_5c8beb0fcd8f19f9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">antimicrox[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mgba.pro\/?icid=gl_sl_tr-post-opentip_sm-team_bfda58659d6362db&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mgba[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/lossless-scaling.app\/?icid=gl_sl_tr-post-opentip_sm-team_426ffb065dc7aff4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">lossless-scaling[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/losslessscaling.pro\/?icid=gl_sl_tr-post-opentip_sm-team_99d1aaffc95abbf6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">losslessscaling[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mgba.dev\/?icid=gl_sl_tr-post-opentip_sm-team_59aad0b77d49395d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mgba[.]dev<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/tmodloader.download\/?icid=gl_sl_tr-post-opentip_sm-team_191c71f454da7f9b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">tmodloader[.]download<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/tmod-loader.com\/?icid=gl_sl_tr-post-opentip_sm-team_c94d122cea36bfe3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">tmod-loader[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/defendercontrol.download\/?icid=gl_sl_tr-post-opentip_sm-team_2dc0769b57345f39&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">defendercontrol[.]download<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ferdium.pro\/?icid=gl_sl_tr-post-opentip_sm-team_a3e9664000552b98&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ferdium[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/deadreset.com\/?icid=gl_sl_tr-post-opentip_sm-team_f8887a4224b6ce9d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">deadreset[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gom-player.net\/?icid=gl_sl_tr-post-opentip_sm-team_c435eebb6c128fbf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gom-player[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crosshairx.pro\/?icid=gl_sl_tr-post-opentip_sm-team_5f646cb4c353efaa&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crosshairx[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/libreoffice.pro\/?icid=gl_sl_tr-post-opentip_sm-team_dd61f2fc23c2f0e4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">libreoffice[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/studioobs.com\/?icid=gl_sl_tr-post-opentip_sm-team_e29f23f5e0391e2c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">studioobs[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/studio-obs.net\/?icid=gl_sl_tr-post-opentip_sm-team_26e0fdf787de6885&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">studio-obs[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crosshairxv2.com\/?icid=gl_sl_tr-post-opentip_sm-team_ec09717f866ad55e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crosshairxv2[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/km-player.com\/?icid=gl_sl_tr-post-opentip_sm-team_c9c376bde054d0de&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">km-player[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/corel-draw.net\/?icid=gl_sl_tr-post-opentip_sm-team_88a47fd16c65d229&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">corel-draw[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/glary-utilities.com\/?icid=gl_sl_tr-post-opentip_sm-team_dc40e0995e0f9b35&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">glary-utilities[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/download-full-version.ooguy.com\/?icid=gl_sl_tr-post-opentip_sm-team_a24c39d99ed34da7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">download-full-version[.]ooguy[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crosshair-x.com\/?icid=gl_sl_tr-post-opentip_sm-team_97dab36368364227&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crosshair-x[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/kms-tools.com\/?icid=gl_sl_tr-post-opentip_sm-team_046ba1d3eef072e0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">kms-tools[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/studio-obs.com\/?icid=gl_sl_tr-post-opentip_sm-team_8f317dc6fbbbbc55&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">studio-obs[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crosshairx.net\/?icid=gl_sl_tr-post-opentip_sm-team_2c4fb3a899afde0d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crosshairx[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/clair-obscur-33.com\/?icid=gl_sl_tr-post-opentip_sm-team_6f4638d25ed6be5a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">clair-obscur-33[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/vlc-player.net\/?icid=gl_sl_tr-post-opentip_sm-team_02bcdeec2f728ccf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">vlc-player[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/arksurvival-ascended.com\/?icid=gl_sl_tr-post-opentip_sm-team_327918c0f73935a0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">arksurvival-ascended[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/elden-ringnightreign.com\/?icid=gl_sl_tr-post-opentip_sm-team_da0afebcb6c8202a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">elden-ringnightreign[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ready-ornot.com\/?icid=gl_sl_tr-post-opentip_sm-team_6e3479b14a28275d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ready-ornot[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/arma-reforger.com\/?icid=gl_sl_tr-post-opentip_sm-team_c1516815a3f12f64&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">arma-reforger[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crusader-kings.com\/?icid=gl_sl_tr-post-opentip_sm-team_007cd7c4dd7d03a8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crusader-kings[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crosshairx2.com\/?icid=gl_sl_tr-post-opentip_sm-team_5f20ca9a7f42ced9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crosshairx2[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mediaplayerclassic.net\/?icid=gl_sl_tr-post-opentip_sm-team_f5e21827d8507734&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mediaplayerclassic[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bandizip.pro\/?icid=gl_sl_tr-post-opentip_sm-team_d2b5238cbd786c92&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bandizip[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/obs-studio.site\/?icid=gl_sl_tr-post-opentip_sm-team_13c1b72ada2aa10a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">obs-studio[.]site<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ovr-advanced-settings.com\/?icid=gl_sl_tr-post-opentip_sm-team_64aea0b58153c566&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ovr-advanced-settings[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/studio-obs.pro\/?icid=gl_sl_tr-post-opentip_sm-team_3d8316d20c9da06f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">studio-obs[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/vlc-media.com\/?icid=gl_sl_tr-post-opentip_sm-team_4130502b8abd8415&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">vlc-media[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/clair-obscur-33.town\/?icid=gl_sl_tr-post-opentip_sm-team_42e80eba3cf18e9e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">clair-obscur-33[.]town<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ovr-toolkit.com\/?icid=gl_sl_tr-post-opentip_sm-team_e93c1259d2ae6113&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ovr-toolkit[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crusader-kings.church\/?icid=gl_sl_tr-post-opentip_sm-team_537000860efca310&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crusader-kings[.]church<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bandizip.net\/?icid=gl_sl_tr-post-opentip_sm-team_eb41e55160807056&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bandizip[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/apexlegends.org\/?icid=gl_sl_tr-post-opentip_sm-team_f055c1e02597bf87&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">apexlegends[.]org<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/obs-studio.pro\/?icid=gl_sl_tr-post-opentip_sm-team_b106566d1cf10215&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">obs-studio[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/vlc-media.net\/?icid=gl_sl_tr-post-opentip_sm-team_b7eb086aafcbb263&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">vlc-media[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crosshairx.site\/?icid=gl_sl_tr-post-opentip_sm-team_607b1658b7fc077a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crosshairx[.]site<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/monster-hunterwilds.com\/?icid=gl_sl_tr-post-opentip_sm-team_2e636bebaba9d26f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">monster-hunterwilds[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/km-player.pro\/?icid=gl_sl_tr-post-opentip_sm-team_3205f7e609525a6b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">km-player[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mediaplayerclassic.pro\/?icid=gl_sl_tr-post-opentip_sm-team_bcc5fd664bf3a812&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mediaplayerclassic[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/kms-tools.net\/?icid=gl_sl_tr-post-opentip_sm-team_af35ed8381748026&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">kms-tools[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fernbus-simulator.com\/?icid=gl_sl_tr-post-opentip_sm-team_62b56c257a896aeb&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fernbus-simulator[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/studioobs.pro\/?icid=gl_sl_tr-post-opentip_sm-team_4c4b88bf98e92c40&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">studioobs[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bandicam.cc\/?icid=gl_sl_tr-post-opentip_sm-team_b92642e402d9f5ad&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bandicam[.]cc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crystaldiskmark.cc\/?icid=gl_sl_tr-post-opentip_sm-team_9ca57f367099ca4f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campa\" target=\"_blank\" rel=\"noopener\">crystaldiskmark[.]cc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crystaldiskmark.io\/?icid=gl_sl_tr-post-opentip_sm-team_b65fdc87f87f1a46&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crystaldiskmark[.]io<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crystaldiskmark.dev\/?icid=gl_sl_tr-post-opentip_sm-team_a5d3c5eb2846dbec&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crystaldiskmark[.]dev<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crystaldiskmark.app\/?icid=gl_sl_tr-post-opentip_sm-team_dff3a1271a860dfc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crystaldiskmark[.]app<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/crystaldiskmark.pro\/?icid=gl_sl_tr-post-opentip_sm-team_37493daa000d9089&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">crystaldiskmark[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bandicam.io\/?icid=gl_sl_tr-post-opentip_sm-team_c7993ee8edad5326&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bandicam[.]io<\/a><\/p>\n<h3 id=\"fake-domain-infrastructure\">Fake domain infrastructure<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/fileget.loseyourip.com\/?icid=gl_sl_tr-post-opentip_sm-team_bf626893b782eed1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fileget.loseyourip[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/file-download-crosshairx.giize.com\/?icid=gl_sl_tr-post-opentip_sm-team_8890322ab60c306a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">file-download-crosshairx.giize[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/all-toll-free.loseyourip.com\/?icid=gl_sl_tr-post-opentip_sm-team_1ac0b576e8e7c567&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">all-toll-free.loseyourip[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/mpc-update.giize.com\/?icid=gl_sl_tr-post-opentip_sm-team_c9c223fd28d5b177&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">mpc-update.giize[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/all-toll-free.publicvm.com\/?icid=gl_sl_tr-post-opentip_sm-team_678c75c07becebfa&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">all-toll-free.publicvm[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/198.23.185.81\/?icid=gl_sl_tr-post-opentip_sm-team_5e408e0e47eab0a3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">198.23.185[.]81<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/direct-download.giize.com\/?icid=gl_sl_tr-post-opentip_sm-team_d5c6d16517e5cf03&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">direct-download.giize[.]com<\/a><\/p>\n<h3 id=\"screenconnect-c2\">ScreenConnect C2<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/servermanagemen.xyz\/?icid=gl_sl_tr-post-opentip_sm-team_c423040a5d0cfaf5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">servermanagemen[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/185.254.97.249\/?icid=gl_sl_tr-post-opentip_sm-team_552156f0dcd8cb6f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">185.254.97[.]249<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/r.manage-server.xyz\/?icid=gl_sl_tr-post-opentip_sm-team_025629f07cbdd85e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">r.manage-server[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/45.145.41.205\/?icid=gl_sl_tr-post-opentip_sm-team_16620168189b3d2e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">45.145.41[.]205<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/winservec.net\/?icid=gl_sl_tr-post-opentip_sm-team_9d9c3cf404ea3637&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">winservec[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/manageserver.xyz\/?icid=gl_sl_tr-post-opentip_sm-team_8c2ddb59956c32e7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">manageserver[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/cloudsynn.com\/?icid=gl_sl_tr-post-opentip_sm-team_109af70c418a8b7d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cloudsynn[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/pingserv.pro\/?icid=gl_sl_tr-post-opentip_sm-team_fc14e0c92a839c8d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">pingserv[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ehostservers.xyz\/?icid=gl_sl_tr-post-opentip_sm-team_ebc7f35a1ff7f510&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ehostservers[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/serverdnsplan.net\/?icid=gl_sl_tr-post-opentip_sm-team_c0724f7fe656ddb0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">serverdnsplan[.]net<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/pingpanl.pro\/?icid=gl_sl_tr-post-opentip_sm-team_69dc608629e88d31&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">pingpanl[.]pro<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/managedevice.xyz\/?icid=gl_sl_tr-post-opentip_sm-team_846d981188e38f71\" target=\"_blank\" rel=\"noopener\">managedevice[.]xyz<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/edgeserv.ru\/?icid=gl_sl_tr-post-opentip_sm-team_28a1579c65d14a4c\" target=\"_blank\" rel=\"noopener\">edgeserv[.]ru<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90,574,287,233,896,252,923,1360,857,1359,273],"tags":[91],"class_list":["post-3959","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-dll-sideloading","category-infrastructure","category-malware-technologies","category-mdr","category-powershell","category-rat-trojan","category-seo","category-the-soc-files","category-threat-hunting","category-vbs","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Introduction To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-01T13:03:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign\",\"datePublished\":\"2026-07-01T13:03:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\"},\"wordCount\":2645,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\",\"DLL sideloading\",\"Infrastructure\",\"Malware Technologies\",\"MDR\",\"PowerShell\",\"RAT Trojan\",\"SEO\",\"The SOC files\",\"Threat hunting\",\"VBS\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\",\"name\":\"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg\",\"datePublished\":\"2026-07-01T13:03:58+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/","og_locale":"en_US","og_type":"article","og_title":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign - Imperative Business Ventures Limited","og_description":"Introduction To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-07-01T13:03:58+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign","datePublished":"2026-07-01T13:03:58+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/"},"wordCount":2645,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["Cybersecurity","DLL sideloading","Infrastructure","Malware Technologies","MDR","PowerShell","RAT Trojan","SEO","The SOC files","Threat hunting","VBS"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/","name":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg","datePublished":"2026-07-01T13:03:58+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/01082525\/soc-files-screenconnect-featured-image-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/07\/01\/the-soc-files-screenconnect-masked-as-freeware-an-inside-look-at-a-large-scale-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3959"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3959\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}