A 2022 investigation by the Kaspersky Managed Detection and Response team revealed a malware distribution campaign that turns legitimate remote-access tools into silent compromise infrastructure. Threat actors built more than 90 spoofed domains in 10 languages to impersonate popular freeware — OBS Studio, DNS Jumper, DS4Windows, Bandicam — and use ScreenConnect as a bridge to the AsyncRAT payload. The mechanism exploits the implicit trust that users and perimeter defenses place in whitelisted remote-administration software.
- Malicious installers bundle a signed Microsoft executable and a rogue library loaded via DLL sideloading to install the ScreenConnect service
- The execution chain proceeds through PowerShell, VBS, XOR 0xA7 steganography in .txt files, and reflective .NET loading to process hollowing in RegAsm.exe
- Over 90 localized spoofed domains across 10 languages indicate a planned, scalable operation, not an amateur scheme
- ScreenConnect is not vulnerable; it is abused as a legitimate tool, bypassing reputation-based defenses
The Attack Chain: From Spoofed Freeware to Hidden Service
Entry occurs through installer archives distributed on sites that replicate the interface and branding of widely used freeware. According to the Kaspersky report, "the malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library. It is loaded onto the device via DLL sideloading and deploys the ScreenConnect service." The legitimate executable's digital signature provides reputational cover: security solutions that rely solely on vendor trust do not detect the anomaly.
DLL sideloading is the pivot point. The rogue library, loaded by the signed installer, installs ScreenConnect as an Access-type service with the C2 server passed via command line. At this stage the system is already compromised, but the presence of a legitimate RMM tool does not trigger alerts in conventional monitoring systems. It is the "trust paradox" described in the dossier: tools designed for remote administration unwittingly become the first link in a persistence chain.
From PowerShell to RegAsm.exe: The Multi-Stage Pipeline
Once the service is active, ScreenConnect generates and executes the PowerShell script named Fj5NmEsp9EuKrun.ps1. This script configures Microsoft Defender exclusions for all drives and root directories, and disables User Account Control. The neutralization of endpoint defenses occurs programmatically and silently, without user interaction.
Next, the VBS script installer_method3_stream.vbs is created, which generates five files in C:\Users\Public: msgbox.txt, secret_bytes.txt, 1.vb, cap.ps1, and script.vbs. The script cap.ps1 reads secret_bytes.txt, extracts patterns marked by [SXX-, decodes from hexadecimal, applies XOR with key 0xA7, and reverses the bit order. As the Kaspersky report documents, "the resulting byte array yields a fully formed PE binary, which is then reflectively loaded into the CLR."
The deobfuscated PE is reflectively loaded into the Common Language Runtime, and the method ConsoleApp1.Module1.Run executes process hollowing on RegAsm.exe with the CREATE_SUSPENDED flag. The report specifies that "the Run method executes a process hollowing technique (T1055.012), spawning a new RegAsm.exe process with the CREATE_SUSPENDED flag." In this final stage, AsyncRAT — a .NET remote access Trojan — is injected, providing persistence and remote control over the compromised machine.
"During a recent investigation engagement, the Kaspersky Managed Detection and Response (MDR) team discovered the ScreenConnect remote access tool being leveraged to deploy and execute an AsyncRAT payload"
C2 Infrastructure: Scale and Localization as Maturity Indicators
The campaign's distribution surface far exceeds the single opportunistic actor model. The Kaspersky team identified "more than 90 domain names localized across 10 languages" as part of the command-and-control infrastructure. This scale requires systematic registration, distributed hosting, and ongoing maintenance of the spoofed domains. Localization into ten languages also indicates deliberate geographic targeting, although the dossier does not specify which languages or regions are involved.
Documented C2 indicators of compromise include the IP addresses 162.216.241[.]242 and 198.23.185[.]81. The source does not specify whether the identified domains were still active at the time of the report's publication, nor how many victims — individuals or organizations — were actually compromised. Attribution to a specific threat actor is not provided.
What to Do Now
Organizations must treat RMM tool installation as a monitorable security event, not a routine administrative operation. Three specific actions for the documented case:
Verify the provenance of freeware installers. The campaign delivered payloads via sites impersonating OBS Studio, DNS Jumper, DS4Windows, and Bandicam across more than 90 spoofed domains in 10 languages. Downloads must come exclusively from verified official domains, not from uncontrolled search-engine results.
Monitor execution of install.exe with DLL sideloading. The malicious archive bundles a signed Microsoft install.exe with a rogue install.res.1033.dll. Endpoint defenses should flag loading of libraries from non-standard paths or the coexistence of signed executables with suspicious DLLs in the same directory.
Watch for PowerShell scripts that configure Defender exclusions across all drives. The campaign's Fj5NmEsp9EuKrun.ps1 script disabled UAC and set root-level exclusions. This pattern is detectable via PowerShell logging and behavioral analytics rules on security-policy modifications.
Analyze RegAsm.exe processes with the CREATE_SUSPENDED flag. The documented process hollowing uses RegAsm.exe as a container. Monitoring creation of .NET processes with anomalous suspension flags, followed by memory writes into the process, intercepts this final stage of the chain.
Questions and Answers
Is ScreenConnect itself vulnerable or compromised?
No. ScreenConnect is a legitimate RMM tool abused as an access vehicle. The dossier reveals no product vulnerability or supply-chain compromise.
Why does the process hollowing occur in RegAsm.exe?
RegAsm.exe is a signed Microsoft .NET component, so its execution raises no alarms. Process hollowing hollows out its address space and injects the payload, achieving persistence behind the appearance of a trusted process.
Is the campaign still active?
The Kaspersky report does not specify the current status of the spoofed domains or the total duration of the C2 operation. The investigation data refers to an incident detected in 2022.
Information is based on the cited source and current as of publication.