The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
A large-scale campaign abuses the legitimate ScreenConnect remote management tool, distributed via 90+ spoofed freeware download sites using SEO poisoning, to silently deploy AsyncRAT. The attack uses DLL sideloading via a Microsoft-signed install.exe binary, followed by a multi-stage loader chain involving PowerShell and VBScript scripts that disable Defender, bypass UAC, and ultimately inject AsyncRAT into RegAsm.exe via process hollowing. The campaign targets both consumers and corporate networks across multiple languages and regions.
- domainall-toll-free[.]loseyourip[.]comCampaign download infrastructure domain
- domainall-toll-free[.]publicvm[.]comCampaign download infrastructure domain
- domainbandicam[.]appSpoofed Bandicam download site
- domaincloudsynn[.]comScreenConnect C2 domain
- domaincrystaldiskmark[.]appSpoofed CrystalDiskMark download site
- domaindirect-download[.]giize[.]comMalicious archive download host serving ScreenConnect-bundled fake installers from spoofed sites in Cluster 2
- domaindnsjumper[.]appSpoofed DNS Jumper download site
- domainds4windows[.]ioSpoofed DS4Windows download site
- domainedgeserv[.]ruScreenConnect C2 domain
- domainehostservers[.]xyzScreenConnect C2 domain
- domainfileget[.]loseyourip[.]comMalicious archive download host serving ScreenConnect-bundled fake installers from spoofed sites in Cluster 1
- domainmanagedevice[.]xyzScreenConnect C2 domain
- domainmanageserver[.]xyzScreenConnect C2 domain
- domainmora1987[.]work[.]gdAsyncRAT C2 domain contacted by the hollowed RegAsm.exe process after successful infection
- domainmpc-update[.]giize[.]comCampaign download infrastructure domain
- domainobs-studio[.]siteSpoofed OBS Studio download site
- domainpingpanl[.]proScreenConnect C2 domain
- domainpingserv[.]proScreenConnect C2 domain
- domainprocesshacker[.]devSpoofed Process Hacker download site
- domainr[.]manage-server[.]xyzScreenConnect C2 domain
- domainr[.]servermanagemen[.]xyzScreenConnect C2 server domain passed via command line when the service is created as an Access-type connection
- domainserverdnsplan[.]netScreenConnect C2 domain
- domainservermanagemen[.]xyzScreenConnect C2 domain
- domainstudioobs[.]comTyposquatted domain mimicking OBS Studio official site, used as initial landing page for the campaign
- domaintmodloader[.]orgSpoofed tModLoader download site
- domainvlc-player[.]netSpoofed VLC Player download site
- domainwinservec[.]netScreenConnect C2 domain
- filenameinstall.res.1033.dllMalicious sideloaded DLL loaded by the legitimate Microsoft-signed install.exe, responsible for deploying ScreenConnect and the impersonated software
- ip162[.]216[.]241[.]242Cluster 1 hosting IP (Dynu Systems Inc, US) serving spoofed freeware domains including studioobs.com
- ip185[.]254[.]97[.]249IP address associated with ScreenConnect C2 infrastructure
- ip198[.]23[.]185[.]81Cluster 1 download hosting IP (NOHAVPS LLC, US) serving malicious archives via fileget.loseyourip.com
- ip2[.]59[.]134[.]97Cluster 2 hosting IP (dataforest GmbH, Germany) serving spoofed freeware domains and direct-download.giize.com
- ip45[.]145[.]41[.]205IP address associated with ScreenConnect C2 infrastructure
- md501325880efffec546f59490089a3b415Malicious install.res.1033.dll variant
- md50eee9bad07e22415439e854657fa1366Loader hash used in the campaign
- md51e6a5c7b620d487d0cfc6874c3b77c90Malicious install.res.1033.dll variant
- md5479bd3bb617b39cd4a46d0768a2592d4Malicious install.res.1033.dll variant
- md554025ce2a9405039899fe99a1d77e0bbMalicious install.res.1033.dll variant
- md55b7e1fe55bd7b5ea54bd4ed1677e5a26Loader hash used in the campaign
- md55f96c04e3afae97017b201be112284d2MD5 hash of malicious install.res.1033.dll sideloading library
- md5695e794631ef130583368770e7b81e98Malicious install.res.1033.dll variant
- md573bead922109a61e5f9f85771a7812c5Malicious install.res.1033.dll variant
- md5776dfd3df9c04bb9fcdd6c1880c3761aMalicious install.res.1033.dll variant
- md583601c3d4ed28e8d2be1b99beb8ec18cMalicious install.res.1033.dll variant
- md587603ea025623b19954e460add532048MD5 hash of the legitimate Microsoft-signed install.exe binary abused for DLL sideloading across all campaign variants
- md58e4c57358a66eb14d31abb614ddc68deMalicious install.res.1033.dll variant
- md58f4e8b680d3e8d3f5ac39bd72882f713Loader hash used in the campaign
- md5999a63730c9634481d1d76955a2e76a8Malicious install.res.1033.dll variant
- md59a9ccd8b0e5d05f4ee77667b024844dbLoader hash used in the campaign
- md5a40d3aeb0dae5b00bdb3a517f3135bbbMalicious install.res.1033.dll variant
- md5a85a5bfdcb7c65ab93043b8cf9e20065Malicious install.res.1033.dll variant
- md5b32810973132d11afd61ccee222bbb79Loader hash used in the campaign
- md5bd05fcf80e493cf9aa71ec510319469dMalicious install.res.1033.dll variant
- md5edff4f58722c93d7c09ed71899416396Malicious install.res.1033.dll variant
- urlhxxps://direct-download[.]giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7jDirect download URL for malicious DNS Jumper archive containing ScreenConnect
- urlhxxps://fileget[.]loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaMDirect download URL for malicious OBS Studio archive containing ScreenConnect
Detection / Hunteropenrouter
What Happened
Attackers created over 90 fake websites that look like official download pages for popular free software like OBS Studio, DNS Jumper, and Bandicam. These fake sites appear at the top of Google and Bing search results, tricking users into downloading what they think is legitimate software. The downloaded files actually contain a hidden remote access tool called ScreenConnect, which lets attackers silently control the victim's computer. Once installed, the attackers use scripts to disable antivirus protection, then install a malicious program called AsyncRAT that can steal data and credentials. This affects anyone who downloads free software from search results, including both home users and company networks. Users should verify they are downloading software from official vendor websites only, and organizations should monitor for unexpected remote administration services and scheduled tasks on their systems.
Key Takeaways
- Large-scale campaign abusing legitimate ScreenConnect remote access tool to deploy AsyncRAT via DLL sideloading using a Microsoft-signed install.exe binary
- Over 90 spoofed domains across 10 languages distributing fake installers for popular freeware (OBS Studio, DNS Jumper, DS4Windows, Bandicam, etc.) using SEO poisoning to appear at top of search results
- Multi-stage infection chain: malicious ZIP → DLL sideloading → ScreenConnect silent install → PowerShell/VBS scripts → process hollowing into RegAsm.exe → AsyncRAT payload
- Persistence achieved via scheduled task 'MasterPackager.Updater' running every 2 minutes and Defender exclusions added for all drives and key directories
- Campaign active from October 2025 through March 2026, targeting both individual users and corporate networks where remote admin tools are often allowlisted
Affected Systems
- Windows endpoints (all versions supporting ScreenConnect and .NET Framework)
- Users searching for and downloading freeware utilities (OBS Studio, DNS Jumper, DS4Windows, Bandicam, Glary Utilities, Process Hacker, etc.)
- Corporate networks where remote administration tools are allowlisted with elevated privileges
Attack Chain
The attack begins with a user downloading a fake software installer (e.g., obs-studio-windows-x64.zip) from a typosquatted domain promoted via SEO poisoning. The archive contains a legitimate Microsoft-signed install.exe and a malicious install.res.1033.dll loaded via DLL sideloading. The sideloaded DLL silently installs ScreenConnect (renamed MSI package) and the impersonated software. ScreenConnect then creates and executes a PowerShell script (Fj5NmEsp9EuKrun.ps1) that adds Defender exclusions and disables UAC, followed by a VBScript (installer_method3_stream.vbs) that drops five files into C:\Users\Public. script.vbs terminates PowerShell processes and launches cap.ps1, which reads and decrypts an XOR-encrypted PE binary from secret_bytes.txt using XOR key 0xA7, then reflectively loads it and performs process hollowing into a suspended RegAsm.exe process. The injected AsyncRAT payload connects to its C2 (mora1987.work.gd). Persistence is maintained via a scheduled task 'MasterPackager.Updater' running every 2 minutes.
Detection Availability
- YARA Rules: No
- Sigma Rules: Yes
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Kaspersky MDR Sigma-like rules, Kaspersky EDR Expert rules
The article provides Sigma-like detection rules for ScreenConnect service creation with suspicious parameters (EventID 4697) and anomalous child processes spawned by ScreenConnect. Kaspersky EDR Expert rules are also referenced including suspicious_assembly_loading_into_powershell_via_reflection_amsi, xored_powershell_command_amsi, scheduled_task_create_from_public_directory_via_schtasks, and code_injection_to_unusual_process. See the 'Detection by Kaspersky solutions' section of the article.
Detection Engineering Assessment
EDR Visibility: High — The attack chain involves multiple endpoint behaviors visible to EDR: DLL sideloading, service creation, PowerShell/VBS script execution, process hollowing into RegAsm.exe, scheduled task creation, and Defender exclusion modifications. All stages produce detectable telemetry. Network Visibility: Medium — C2 connections to mora1987.work.gd and ScreenConnect C2 servers are observable, but ScreenConnect uses legitimate protocols and the initial download occurs over HTTPS, limiting deep packet inspection. DNS queries to spoofed domains are a viable detection vector. Detection Difficulty: Moderate — The use of legitimate, signed binaries and ScreenConnect as a living-off-the-land technique increases difficulty. However, the behavioral indicators — ScreenConnect spawning PowerShell/VBS, files dropped to C:\Users\Public, Defender exclusion modifications, scheduled tasks pointing to Public directory, and process hollowing into RegAsm.exe — are all detectable with properly configured EDR and SIEM rules.
Required Log Sources
- Windows Security Event ID 4697 (Service installation)
- Windows Sysmon Event ID 1 (Process Creation) with parent-child relationships
- Windows Sysmon Event ID 7 (Image Loaded) for DLL sideloading detection
- Windows Sysmon Event ID 11 (File Creation) for scripts dropped to C:\Users\Public
- Windows Task Scheduler logs (Event ID 4698)
- PowerShell Script Block Logging (Event ID 4104)
- DNS query logs for C2 and spoofed domain resolution
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for ScreenConnect service processes spawning child processes such as powershell.exe, cmd.exe, schtasks.exe, or msiexec.exe, as this indicates post-exploitation activity using the legitimate remote admin tool as a launch platform. | Process creation events with parent image matching ScreenConnect executables (Event ID 4688 or Sysmon Event ID 1) | Execution | Medium — legitimate IT administrators may use ScreenConnect to run scripts, so context around the child process arguments and target directories is needed. |
| Consider hunting for scheduled tasks created that reference scripts in the C:\Users\Public directory, as this is an atypical location for legitimate scheduled tasks and was used for persistence in this campaign. | Windows Task Scheduler operational log, Sysmon Event ID 11 (File Creation) combined with Event ID 1 for schtasks.exe execution | Persistence | Low — scheduled tasks pointing to C:\Users\Public are rare in enterprise environments. |
| Consider hunting for RegAsm.exe process making outbound network connections, as the legitimate RegAsm assembly registration tool should not initiate network traffic; this indicates process hollowing with AsyncRAT or similar payloads. | Network connection events (Sysmon Event ID 3) filtered for processes named RegAsm.exe | Defense Evasion / C2 | Low — RegAsm.exe making outbound connections is highly anomalous in most environments. |
| Consider hunting for rapid, bulk addition of Microsoft Defender exclusion paths covering entire drives or root directories, especially when performed via PowerShell scripts spawned by non-IT-admin processes. | PowerShell Script Block Logging (Event ID 4104), Windows Defender operational log for exclusion additions | Defense Evasion | Medium — IT teams may add exclusions during software deployment, but broad exclusions for all drives are unusual. |
| Consider hunting for DLL sideloading patterns where install.exe or similar Microsoft-signed binaries load DLLs from non-standard directories, particularly install.res.1033.dll, as this indicates DLL sideloading used to bootstrap malicious payloads. | Sysmon Event ID 7 (Image Loaded) with focus on signed binaries loading DLLs from writable or user-accessible directories | Initial Access / Execution | Low-Medium — legitimate installers load DLLs, but the combination of non-standard path and specific DLL name is suspicious. |
Control Gaps
- Application allowlisting that permits all signed Microsoft binaries without path verification would not catch the DLL sideloading technique using install.exe
- Network firewalls allowing outbound connections on non-standard ports may miss ScreenConnect and AsyncRAT C2 traffic if not configured with domain-based egress filtering
- Antivirus solutions relying primarily on signature-based detection may miss the campaign's use of legitimate signed binaries and obfuscated/encrypted payloads
- UAC bypass via registry modification would not be caught by controls that do not monitor ConsentPromptBehaviorAdmin changes
Key Behavioral Indicators
- ScreenConnect.ClientService.exe spawning powershell.exe, cmd.exe, or wscript.exe as child processes
- Scheduled task named 'MasterPackager.Updater' pointing to C:\Users\Public\script.vbs
- Files created in C:\Users\Public\ matching names: cap.ps1, secret_bytes.txt, script.vbs, installer_method3_stream.vbs, msgbox.txt, 1.vb
- RegAsm.exe process with CREATE_SUSPENDED flag followed by memory region modifications (process hollowing indicator)
- Windows service named 'Microsoft Update Service' with ScreenConnect ClientService.exe binary path
- PowerShell scripts adding Defender exclusions for C:, D:, C:\Users\Public, and RegAsm.exe
- MSI package renamed to vcredist_x64.dll or vcredist_x86.dll executed via msiexec.exe
- ScreenConnect service command line containing 'e=Access' or 'e=Support' parameters with external server domains
False Positive Assessment
- Medium — ScreenConnect is a legitimate remote administration tool used by IT teams, so its presence alone is not malicious. However, the specific behaviors described — ScreenConnect spawning PowerShell/VBS scripts, files dropped to C:\Users\Public, process hollowing into RegAsm.exe, and scheduled tasks referencing Public directory scripts — are highly suspicious and should rarely occur in legitimate administrative activity. False positives are most likely in environments where IT staff use ScreenConnect for remote scripting.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider searching endpoint telemetry for the listed C2 domains (mora1987.work.gd, servermanagemen.xyz, r.manage-server.xyz, winservec.net, manageserver.xyz, etc.) and associated IPs (185.254.97.249, 45.145.41.205) to identify potential compromises.
- Consider blocking the listed spoofed domains and download infrastructure domains at your DNS resolver or web filtering layer, if applicable.
- If your EDR supports it, consider hunting for ScreenConnect service processes spawning child processes (powershell.exe, cmd.exe, wscript.exe, schtasks.exe) and for the scheduled task 'MasterPackager.Updater' across your fleet.
- Consider searching for the MD5 hashes of install.res.1033.dll variants and loader binaries across endpoint telemetry to identify systems that may have executed the sideloading payload.
Infrastructure Hardening
- Evaluate implementing application allowlisting that validates DLL load paths for signed binaries, not just the signing certificate of the main executable, to prevent DLL sideloading attacks.
- Consider blocking or alerting on outbound connections to unknown or newly registered domains, particularly from processes like RegAsm.exe that should not initiate network connections.
- If supported by your tooling, consider alerting on Windows service creation events (Event ID 4697) where the service name or binary path references ScreenConnect, especially when the command line contains external server addresses.
- Evaluate whether MSI execution from user-writable directories or temp locations can be restricted where supported by your endpoint controls.
User Protection
- Consider educating users to only download software from official vendor websites and to verify URLs before downloading, rather than relying on search engine results alone.
- If applicable, consider deploying browser security controls that flag or block downloads from newly registered domains or domains not associated with known software vendors.
- Evaluate whether your organization's endpoint protection can detect and alert on the creation of files in C:\Users\Public\ that match the script names used in this campaign.
Security Awareness
- Consider incorporating this campaign into existing security awareness training as an example of SEO poisoning — where attackers push fake download sites to the top of search results.
- Encourage users to verify the URL of download pages and compare them against official vendor URLs before downloading software.
- Remind users that legitimate software vendors typically do not bundle remote administration tools silently within their installers.
- Consider training help desk and IT staff to be suspicious of unexpected ScreenConnect or similar remote administration service installations on endpoints.
MITRE ATT&CK Mapping
- T1574.001 - DLL Sideloading
- T1059.001 - PowerShell
- T1059.005 - VBScript
- T1055.012 - Process Hollowing
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- T1027.009 - Obfuscated Files or Information: Embedded Payloads
- T1218.007 - System Binary Proxy Execution: Msiexec
- T1543.003 - Create or Modify System Process: Windows Service
Additional IOCs
- Ips:
162[.]216[.]241[.]242- Cluster 1 hosting IP (Dynu Systems Inc, US) serving spoofed freeware domains including studioobs.com198[.]23[.]185[.]81- Cluster 1 download hosting IP (NOHAVPS LLC, US) serving malicious archives via fileget.loseyourip.com2[.]59[.]134[.]97- Cluster 2 hosting IP (dataforest GmbH, Germany) serving spoofed freeware domains and direct-download.giize.com
- Domains:
servermanagemen[.]xyz- ScreenConnect C2 domainr[.]manage-server[.]xyz- ScreenConnect C2 domainwinservec[.]net- ScreenConnect C2 domainmanageserver[.]xyz- ScreenConnect C2 domaincloudsynn[.]com- ScreenConnect C2 domainpingserv[.]pro- ScreenConnect C2 domainehostservers[.]xyz- ScreenConnect C2 domainserverdnsplan[.]net- ScreenConnect C2 domainpingpanl[.]pro- ScreenConnect C2 domainmanagedevice[.]xyz- ScreenConnect C2 domainedgeserv[.]ru- ScreenConnect C2 domainds4windows[.]io- Spoofed DS4Windows download sitednsjumper[.]app- Spoofed DNS Jumper download siteprocesshacker[.]dev- Spoofed Process Hacker download sitebandicam[.]app- Spoofed Bandicam download siteobs-studio[.]site- Spoofed OBS Studio download sitevlc-player[.]net- Spoofed VLC Player download sitecrystaldiskmark[.]app- Spoofed CrystalDiskMark download sitetmodloader[.]org- Spoofed tModLoader download siteall-toll-free[.]loseyourip[.]com- Campaign download infrastructure domainall-toll-free[.]publicvm[.]com- Campaign download infrastructure domainmpc-update[.]giize[.]com- Campaign download infrastructure domain
- Urls:
hxxps://fileget[.]loseyourip[.]com/obs-studio-windows-full/gVOMs5VZ9BtlcaM- Direct download URL for malicious OBS Studio archive containing ScreenConnecthxxps://direct-download[.]giize[.]com/dns-jumper/iopbsr4hymbo7nfa1q7j- Direct download URL for malicious DNS Jumper archive containing ScreenConnect
- File Hashes:
B32810973132D11AFD61CCEE222BBB79(MD5) - Loader hash used in the campaign5B7E1FE55BD7B5EA54BD4ED1677E5A26(MD5) - Loader hash used in the campaign9A9CCD8B0E5D05F4EE77667B024844DB(MD5) - Loader hash used in the campaign0EEE9BAD07E22415439E854657FA1366(MD5) - Loader hash used in the campaign8F4E8B680D3E8D3F5AC39BD72882F713(MD5) - Loader hash used in the campaign73BEAD922109A61E5F9F85771A7812C5(MD5) - Malicious install.res.1033.dll variantEDFF4F58722C93D7C09ED71899416396(MD5) - Malicious install.res.1033.dll variant83601C3D4ED28E8D2BE1B99BEB8EC18C(MD5) - Malicious install.res.1033.dll variant695E794631EF130583368770E7B81E98(MD5) - Malicious install.res.1033.dll variant1E6A5C7B620D487D0CFC6874C3B77C90(MD5) - Malicious install.res.1033.dll variant54025CE2A9405039899FE99A1D77E0BB(MD5) - Malicious install.res.1033.dll variantBD05FCF80E493CF9AA71EC510319469D(MD5) - Malicious install.res.1033.dll variant999A63730C9634481D1D76955A2E76A8(MD5) - Malicious install.res.1033.dll variant479BD3BB617B39CD4A46D0768A2592D4(MD5) - Malicious install.res.1033.dll variant776DFD3DF9C04BB9FCDD6C1880C3761A(MD5) - Malicious install.res.1033.dll variant8E4C57358A66EB14D31ABB614DDC68DE(MD5) - Malicious install.res.1033.dll variantA40D3AEB0DAE5B00BDB3A517F3135BBB(MD5) - Malicious install.res.1033.dll variantA85A5BFDCB7C65AB93043B8CF9E20065(MD5) - Malicious install.res.1033.dll variant01325880EFFFEC546F59490089A3B415(MD5) - Malicious install.res.1033.dll variant
- Registry Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin- Registry key set to 0 by the PowerShell script to disable UAC prompts for admin operations
- File Paths:
C:\Users\Public\script.vbs- VBScript file created by installer_method3_stream.vbs, terminates PowerShell and launches cap.ps1; used in persistence via scheduled taskC:\Users\Public\cap.ps1- PowerShell script that reads secret_bytes.txt, decrypts a PE binary using XOR 0xA7, and reflectively loads AsyncRAT via process hollowingC:\Users\Public\secret_bytes.txt- File containing hex-encoded, XOR-encrypted PE binary (AsyncRAT) that is read and decrypted by cap.ps1C:\Users\Public\installer_method3_stream.vbs- VBScript created by ScreenConnect that drops five files into C:\Users\Public and triggers execution via script.vbsC:\Users\Public\Fj5NmEsp9EuKrun.ps1- PowerShell script created by ScreenConnect that adds Defender exclusions and disables UAC
- Command Lines:
- Purpose: Persistence via scheduled task running every 2 minutes to re-execute the VBS loader chain | Tools:
schtasks.exe,wscript.exe| Stage: Persistence |schtasks /Create /TN "MasterPackager.Updater" /TR "wscript.exe - Purpose: Silent MSI installation of ScreenConnect disguised as vcredist DLL | Tools:
msiexec.exe| Stage: Initial Access / Installation |msiexec.exe /i <path> /qn /norestart
- Purpose: Persistence via scheduled task running every 2 minutes to re-execute the VBS loader chain | Tools:
- Other:
MasterPackager.Updater- Scheduled task name used for persistence, triggering script.vbs every 2 minutesMicrosoft Update Service- Service name created by the ScreenConnect MSI installer to masquerade as a legitimate Windows update service