ScreenConnect Turned Loader: Trojanized Installers Push AsyncRAT via Spoofed Software Sites

A sprawling campaign is abusing a legitimate RMM binary to sideload AsyncRAT onto victims chasing free copies of OBS Studio, Bandicam, and other utilities.

ThreatVectr Newsdesk· 2 min read
ScreenConnect Turned Loader: Trojanized Installers Push AsyncRAT via Spoofed Software Sites
Share

Attackers are bundling a signed ScreenConnect (ConnectWise Control) client inside fake software installers to plant AsyncRAT on victim machines, according to research tracking a multi-region distribution operation.

The hook is old. The plumbing is new-ish.

Operators are standing up spoofed download pages impersonating OBS Studio, DNS Jumper, DS4Windows, Bandicam and a rotating cast of freeware brands. Victims arrive via SEO poisoning and malvertising, pull down an installer archive, and get a working copy of the advertised app alongside a preconfigured ScreenConnect agent that phones home to attacker-controlled relay infrastructure.

Once the RMM client checks in, the operator has an interactive foothold — file transfer, command execution, persistence — without dropping a custom implant on disk during initial access. AsyncRAT is deployed in a follow-on stage, giving the crew a more traditional remote access trojan with keylogging, credential theft, and plugin support.

The technique is not novel. Abuse of ConnectWise ScreenConnect for initial access has been a recurring theme since at least 2022, and CISA has flagged similar RMM misuse in prior joint advisories. What is notable here is scale: the campaign spans multiple languages, multiple lure brands, and dozens of lookalike domains, suggesting an affiliate-style operation rather than a one-off phishing kit.

A few operational notes for defenders.

Because the ScreenConnect binary is legitimately signed by ConnectWise, code-signing checks and most reputation-based AV will pass it. Detection has to happen at the behavioral layer: unexpected ScreenConnect.ClientService.exe execution on endpoints that were never enrolled in a sanctioned RMM tenant, outbound TLS to non-corporate ScreenConnect relay hostnames, and instance GUIDs that don't match your MSP's known deployment.

Blocking is messier. Outright denylisting the binary breaks legitimate MSP workflows. Application allowlisting scoped to your sanctioned RMM tenant ID — enforced through WDAC, AppLocker, or an EDR policy — is the cleaner control. ConnectWise publishes guidance on locking down client configuration in its trust center.

AsyncRAT itself is open-source (the original repo has been forked to death), so signature-based IOCs age out quickly. Hunt on parent-child chains where an installer MSI or NSIS package spawns ScreenConnect.ClientSetup.exe from %TEMP% or %APPDATA%, followed by outbound traffic to *.screenconnect.com subdomains you don't own.

Users pulling installers from search-ad results remain the reliable weak link. If your endpoint policy still permits arbitrary MSI execution from user-writable directories, this campaign is a fair reminder to revisit that.

No CVE here. Just a signed binary, a search engine, and a patient adversary.

© 2026 Threat Vectr