spot_img

Date:

Share:

Kaspersky warns of a large-scale campaign using fake free software to deploy a RAT via ScreenConnect

A remote admin tool ScreenConnect is being distributed through fake websites designed to mimic the official pages of well-known software products. In total, researchers identified more than 90 domains spanning 10 languages, including English, Arabic, Spanish, Chinese, German, Portuguese, and Russian, enabling the attackers to reach a wide range of victims worldwide. The campaign targets both individual users and organisations using Windows. 

After detecting an incident through its Managed Detection and Response, Kaspersky uncovered a large-scale campaign in which attackers used fake websites to spread installer archives disguised as popular software, including OBS Studio, DNS Jumper, DS4Windows, Glary Utilities and Bandicam. To drive traffic to these pages, the threat actor also used search engine optimisation techniques to place them high in search results.

Across more than 90 identified fraudulent software sites, the same tactic was observed: victims who downloaded what appeared to be legitimate software instead received a hidden ScreenConnect remote administration tool, which gave the attackers persistent access to compromised devices and allowed them to deploy AsyncRAT, an open-source trojan capable of giving them full control over infected systems. Domain registrations linked to this campaign peaked in February 2026; in 2025, the same attacker had used fake websites to disguise malicious installers as games.

Kaspersky warns of a large-scale campaign using fake free software to deploy a RAT via ScreenConnect
Example of a website used by attackers to deliver ScreenConnect

Infection occurs through malicious archives containing a legitimate, signed Microsoft file, install.exe, alongside the install.res.1033.dll library. The DLL is loaded onto the device via a DLL sideloading technique and deploys a ScreenConnect service that awaits further instructions from the attackers.

“The campaign targets both users downloading free utilities from the Internet and corporate networks, where remote access tools are often allowlisted and granted elevated privileges. Its danger lies in its potential to facilitate large-scale credential theft and unauthorised access to systems, with the stolen data typically later resold on dark web forums,” says Denis Kulik, lead SOC Analyst at Kaspersky.

To mitigate the risks associated with this threat, Kaspersky experts recommend that businesses:

  • Enforce strict software installation controls (application allowlisting, blocking MSI package installations from untrusted sources).
  • Continuously monitor for new remote administration services and scheduled tasks.
  • Filter outbound traffic to unknown domains and IP addresses.
  • Keep your employees informed about relevant threats. Kaspersky Automated Security Awareness Platform helps cultivate cyber-savvy behaviour, including safe downloading practices.
  • Verify the authenticity of software sources.
  • Augment existing security controls with human-led detection and global threat intelligence through solutions like Kaspersky Managed Detection and Response (MDR), which offers 24/7 monitoring, detection, investigation and rapid response to sophisticated cyberattacks
  • Monitor credentials for signs of compromise to mitigate risks, as a compromised account or system access can serve as a vector for further attacks on the organisation. Kaspersky Digital Footprint Intelligence provides continuous monitoring across open and dark web sources, enabling timely response to potential threats.

Kaspersky experts also recommend users to follow this advice:

  • Be cautious with downloads. Only download software and media from reputable sources. Malicious software can be bundled with legitimate software, especially if downloaded from dubious websites.
  • Use a strong security solution on all devices, such as Kaspersky Premium. It will warn you about potential threats and prevent infection.
  • Enable multi-factor authentication and monitor accounts: Activate two-factor authentication on IDs and financial apps and regularly review statements for unauthorised activity.
  • Check the authenticity of websites. Double-check URL formats and organisations name spellings.
spot_img
spot_img

━ More like this

AI in stockbroking: why co-pilot must come before autopilot

As financial institutions race to deploy AI agents, the debate is quickly shifting from what artificial intelligence (AI) can automate to what it should...

Google Cloud Summit in Africa highlights the Continent’s digital transformation and unveils new Agentic AI and Infrastructure Investments

Google announced five major AI initiatives, spanning research, digital skilling, startup funding, and infrastructure Google Cloud today hosted its inaugural Cloud Summit in Africa at...

Insurers grapple with new fraud threat: AI-generated images

Fake or altered photos depict evidence, from crash scenes to receipts, to support fraudulent claims. Insurance fraud, unfortunately, is inevitable. A certain amount of fraud is...

The important role of assurance in unlocking the full business potential of AI

Artificial intelligence is rapidly moving from experimentation to everyday business practice. Across South Africa, organisations are using AI to improve productivity, automate routine tasks,...

Engineering for density – why liquid cooling is no longer optional for data centres in the age of AI

As enterprises accelerate their adoption of Artificial Intelligence (AI) and High‑Performance Computing (HPC), many are discovering that the physics of the data centre are...
spot_img