How a single ScreenConnect incident exposed a massive campaign
A massive campaign distributes malicious installer archives hosted on spoofed websites masquerading as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Over 90 domain names localized across 10 languages were discovered. The malicious archives bundle a legitimate Microsoft-signed install.exe binary with a rogue install.res.1033.dll library deployed via DLL sideloading. This installs the ScreenConnect remote access service, which then deploys AsyncRAT payloads through PowerShell and VBS scripts. The threat actors leverage SEO techniques to position fraudulent sites at the top of search engine results, targeting both individual users and corporate networks. The infrastructure spans three IP addresses with domains registered between October 2025 and March 2026, creating a global footprint with multi-language support.
AI Analysis
Technical Summary
This campaign leverages malicious installer archives hosted on spoofed websites that mimic legitimate software to trick users into installation. The installers bundle a genuine Microsoft-signed install.exe with a malicious install.res.1033.dll, enabling DLL sideloading to install the ScreenConnect remote access service. This service is then used to deploy AsyncRAT remote access trojans via PowerShell and VBS scripts. The attackers use SEO poisoning and typosquatting to increase visibility of their fake sites in search engine results, facilitating widespread distribution. The campaign infrastructure spans multiple IP addresses and over 90 domains localized in 10 languages, indicating a broad, global targeting effort.
Potential Impact
Successful infection results in installation of a remote access service (ScreenConnect) that enables attackers to deploy AsyncRAT payloads, potentially allowing unauthorized remote control of affected systems. This can lead to data compromise, lateral movement within networks, and further malicious activity. The use of DLL sideloading with a signed binary may bypass some security detections, increasing the risk of stealthy persistence.
Mitigation Recommendations
No official patch or fix is applicable as this is a malware campaign leveraging social engineering and DLL sideloading techniques. Defenders should educate users to avoid downloading software from untrusted or spoofed websites, verify software authenticity, and monitor for signs of ScreenConnect service installations and AsyncRAT activity. Endpoint detection solutions should be tuned to detect DLL sideloading and suspicious PowerShell or VBS script executions. Since this is not a vulnerability in a product but a malware distribution campaign, remediation focuses on user awareness and detection rather than patching.
Indicators of Compromise
- domain: corel-draw.net
- ip: 185.254.97.249
- domain: vlc-player.net
- domain: processhacker.net
- domain: km-player.com
- domain: defender-control.com
- domain: crusader-kings.com
- domain: arma-reforger.com
- domain: obs-studio.site
- domain: obs-studio.pro
- domain: studio-obs.com
- domain: studio-obs.net
- ip: 2.59.134.97
- domain: winservec.net
- domain: mora1987.work.gd
- hash: 8e4c57358a66eb14d31abb614ddc68de
- hash: c2679a152084f3ebdb39aacb6ec6a23c61a46ae6
- hash: 6ed15aec7504081c3e14a9f6064d7b754aa283e4adb1a59edf3beff65369bc55
- domain: serverdnsplan.net
- domain: free-download.camdvr.org
- domain: managedevice.xyz
- domain: pingpanl.pro
- domain: manageserver.xyz
- domain: r.servermanagemen.xyz
- domain: r.manage-server.xyz
- domain: ehostservers.xyz
- ip: 162.216.241.242
- ip: 45.145.41.205
- domain: crosshairx.pro
- domain: crosshairx.site
- domain: fileget.loseyourip.com
- domain: km-player.pro
- domain: kms-tools.com
- domain: vlc-media.com
- domain: vlc-media.net
- domain: download-full-version.ooguy.com
- domain: servermanagemen.xyz
- hash: 01325880efffec546f59490089a3b415
- hash: 0eee9bad07e22415439e854657fa1366
- hash: 1e6a5c7b620d487d0cfc6874c3b77c90
- hash: 479bd3bb617b39cd4a46d0768a2592d4
- hash: 54025ce2a9405039899fe99a1d77e0bb
- hash: 5b7e1fe55bd7b5ea54bd4ed1677e5a26
- hash: 5f96c04e3afae97017b201be112284d2
- hash: 695e794631ef130583368770e7b81e98
- hash: 73bead922109a61e5f9f85771a7812c5
- hash: 776dfd3df9c04bb9fcdd6c1880c3761a
- hash: 83601c3d4ed28e8d2be1b99beb8ec18c
- hash: 87603ea025623b19954e460add532048
- hash: 8f4e8b680d3e8d3f5ac39bd72882f713
- hash: 999a63730c9634481d1d76955a2e76a8
- hash: 9a9ccd8b0e5d05f4ee77667b024844db
- hash: a40d3aeb0dae5b00bdb3a517f3135bbb
- hash: a85a5bfdcb7c65ab93043b8cf9e20065
- hash: b32810973132d11afd61ccee222bbb79
- hash: bd05fcf80e493cf9aa71ec510319469d
- hash: edff4f58722c93d7c09ed71899416396
- hash: b12b5720404e3d8794d72af064939dd953b6a8e0
- hash: ce1349eb9d4b2025d1a0dde651a690c7a471c5b0
- hash: d27fc9abbeccb60906d22906ef9a73bd05da2b7a
- hash: d497271a32633ddb4f56d548a13fefdab864b6e2
- hash: 3cbd65ae3ff5039324b03a66947a1d1b808ea5ddb09da917ed8f1323c34e80f7
- hash: 5b95e1d05d913676e9ebbd897a403ddfa6476524651a038d08ecebde29159b9a
- hash: 7f53fade6f3942f710b230d52a574fc6066ea282e739e417ca039800dc1bb08e
- hash: 8d08136a1964c72b6b450b11d9bf2b3d3d289c26dfadfc9f021114eac2cea1ca
- ip: 198.23.185.81
- url: http://fileget.loseyourip.com/obs-studio-windows-full/gVOMs5VZ9BtlcaM
- url: https://fileget.loseyourip.com/obs-studio-windows-full/gVOMs5VZ9BtlcaM
- url: https://www.studioobs.com/
- domain: antimicrox.net
- domain: antimicrox.pro
- domain: apexlegends.org
- domain: arksurvival-ascended.com
- domain: bandicam.cc
- domain: bandicam.io
- domain: bandizip.net
- domain: bandizip.pro
- domain: clair-obscur-33.com
- domain: clair-obscur-33.town
- domain: cloudsynn.com
- domain: cpuz.pro
- domain: crosshair-x.com
- domain: crosshairx.net
- domain: crosshairx2.com
- domain: crosshairxv2.com
- domain: crusader-kings.church
- domain: crystaldiskmark.cc
- domain: crystaldiskmark.dev
- domain: crystaldiskmark.io
- domain: crystaldiskmark.pro
- domain: deadreset.com
- domain: defendercontrol.download
- domain: defendercontrol.org
- domain: defendercontrol.pro
- domain: dns-jumper.com
- domain: dnsjumper.io
- domain: dnsjumper.pro
- domain: ds4windows.io
- domain: ds4windows.net
- domain: ds4windows.pro
- domain: edgeserv.ru
- domain: elden-ringnightreign.com
- domain: ferdium.pro
- domain: fernbus-simulator.com
- domain: glary-utilities.com
- domain: gom-player.net
- domain: kms-tools.net
- domain: libreoffice.pro
- domain: lossless-scaling.download
- domain: lossless-scaling.online
- domain: losslessscaling.pro
- domain: mediaplayerclassic.net
- domain: mediaplayerclassic.pro
- domain: mgba.dev
- domain: mgba.pro
- domain: monster-hunterwilds.com
- domain: ovr-advanced-settings.com
- domain: ovr-toolkit.com
- domain: pingserv.pro
- domain: processhacker.dev
- domain: processhacker.org
- domain: ready-ornot.com
- domain: steamtools.cc
- domain: steamtools.pro
- domain: studio-obs.pro
- domain: studioobs.com
- domain: studioobs.pro
- domain: tmod-loader.com
- domain: tmodloader.download
- domain: tmodloader.org
- domain: tmodloader.pro
- domain: all-toll-free.loseyourip.com
- domain: trojan.js.sagent.sb
- domain: www.studioobs.com
How a single ScreenConnect incident exposed a massive campaign
Description
A massive campaign distributes malicious installer archives hosted on spoofed websites masquerading as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Over 90 domain names localized across 10 languages were discovered. The malicious archives bundle a legitimate Microsoft-signed install.exe binary with a rogue install.res.1033.dll library deployed via DLL sideloading. This installs the ScreenConnect remote access service, which then deploys AsyncRAT payloads through PowerShell and VBS scripts. The threat actors leverage SEO techniques to position fraudulent sites at the top of search engine results, targeting both individual users and corporate networks. The infrastructure spans three IP addresses with domains registered between October 2025 and March 2026, creating a global footprint with multi-language support.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign leverages malicious installer archives hosted on spoofed websites that mimic legitimate software to trick users into installation. The installers bundle a genuine Microsoft-signed install.exe with a malicious install.res.1033.dll, enabling DLL sideloading to install the ScreenConnect remote access service. This service is then used to deploy AsyncRAT remote access trojans via PowerShell and VBS scripts. The attackers use SEO poisoning and typosquatting to increase visibility of their fake sites in search engine results, facilitating widespread distribution. The campaign infrastructure spans multiple IP addresses and over 90 domains localized in 10 languages, indicating a broad, global targeting effort.
Potential Impact
Successful infection results in installation of a remote access service (ScreenConnect) that enables attackers to deploy AsyncRAT payloads, potentially allowing unauthorized remote control of affected systems. This can lead to data compromise, lateral movement within networks, and further malicious activity. The use of DLL sideloading with a signed binary may bypass some security detections, increasing the risk of stealthy persistence.
Mitigation Recommendations
No official patch or fix is applicable as this is a malware campaign leveraging social engineering and DLL sideloading techniques. Defenders should educate users to avoid downloading software from untrusted or spoofed websites, verify software authenticity, and monitor for signs of ScreenConnect service installations and AsyncRAT activity. Endpoint detection solutions should be tuned to detect DLL sideloading and suspicious PowerShell or VBS script executions. Since this is not a vulnerability in a product but a malware distribution campaign, remediation focuses on user awareness and detection rather than patching.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/"]
- Adversary
- null
- Pulse Id
- 6a4545dbc77aff75fe16cee7
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincorel-draw.net | — | |
domainvlc-player.net | — | |
domainprocesshacker.net | — | |
domainkm-player.com | — | |
domaindefender-control.com | — | |
domaincrusader-kings.com | — | |
domainarma-reforger.com | — | |
domainobs-studio.site | — | |
domainobs-studio.pro | — | |
domainstudio-obs.com | — | |
domainstudio-obs.net | — | |
domainwinservec.net | — | |
domainmora1987.work.gd | — | |
domainserverdnsplan.net | — | |
domainfree-download.camdvr.org | — | |
domainmanagedevice.xyz | — | |
domainpingpanl.pro | — | |
domainmanageserver.xyz | — | |
domainr.servermanagemen.xyz | — | |
domainr.manage-server.xyz | — | |
domainehostservers.xyz | — | |
domaincrosshairx.pro | — | |
domaincrosshairx.site | — | |
domainfileget.loseyourip.com | — | |
domainkm-player.pro | — | |
domainkms-tools.com | — | |
domainvlc-media.com | — | |
domainvlc-media.net | — | |
domaindownload-full-version.ooguy.com | — | |
domainservermanagemen.xyz | — | |
domainantimicrox.net | — | |
domainantimicrox.pro | — | |
domainapexlegends.org | — | |
domainarksurvival-ascended.com | — | |
domainbandicam.cc | — | |
domainbandicam.io | — | |
domainbandizip.net | — | |
domainbandizip.pro | — | |
domainclair-obscur-33.com | — | |
domainclair-obscur-33.town | — | |
domaincloudsynn.com | — | |
domaincpuz.pro | — | |
domaincrosshair-x.com | — | |
domaincrosshairx.net | — | |
domaincrosshairx2.com | — | |
domaincrosshairxv2.com | — | |
domaincrusader-kings.church | — | |
domaincrystaldiskmark.cc | — | |
domaincrystaldiskmark.dev | — | |
domaincrystaldiskmark.io | — | |
domaincrystaldiskmark.pro | — | |
domaindeadreset.com | — | |
domaindefendercontrol.download | — | |
domaindefendercontrol.org | — | |
domaindefendercontrol.pro | — | |
domaindns-jumper.com | — | |
domaindnsjumper.io | — | |
domaindnsjumper.pro | — | |
domainds4windows.io | — | |
domainds4windows.net | — | |
domainds4windows.pro | — | |
domainedgeserv.ru | — | |
domainelden-ringnightreign.com | — | |
domainferdium.pro | — | |
domainfernbus-simulator.com | — | |
domainglary-utilities.com | — | |
domaingom-player.net | — | |
domainkms-tools.net | — | |
domainlibreoffice.pro | — | |
domainlossless-scaling.download | — | |
domainlossless-scaling.online | — | |
domainlosslessscaling.pro | — | |
domainmediaplayerclassic.net | — | |
domainmediaplayerclassic.pro | — | |
domainmgba.dev | — | |
domainmgba.pro | — | |
domainmonster-hunterwilds.com | — | |
domainovr-advanced-settings.com | — | |
domainovr-toolkit.com | — | |
domainpingserv.pro | — | |
domainprocesshacker.dev | — | |
domainprocesshacker.org | — | |
domainready-ornot.com | — | |
domainsteamtools.cc | — | |
domainsteamtools.pro | — | |
domainstudio-obs.pro | — | |
domainstudioobs.com | — | |
domainstudioobs.pro | — | |
domaintmod-loader.com | — | |
domaintmodloader.download | — | |
domaintmodloader.org | — | |
domaintmodloader.pro | — | |
domainall-toll-free.loseyourip.com | — | |
domaintrojan.js.sagent.sb | — | |
domainwww.studioobs.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.254.97.249 | — | |
ip2.59.134.97 | — | |
ip162.216.241.242 | — | |
ip45.145.41.205 | — | |
ip198.23.185.81 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash8e4c57358a66eb14d31abb614ddc68de | — | |
hashc2679a152084f3ebdb39aacb6ec6a23c61a46ae6 | — | |
hash6ed15aec7504081c3e14a9f6064d7b754aa283e4adb1a59edf3beff65369bc55 | — | |
hash01325880efffec546f59490089a3b415 | — | |
hash0eee9bad07e22415439e854657fa1366 | — | |
hash1e6a5c7b620d487d0cfc6874c3b77c90 | — | |
hash479bd3bb617b39cd4a46d0768a2592d4 | — | |
hash54025ce2a9405039899fe99a1d77e0bb | — | |
hash5b7e1fe55bd7b5ea54bd4ed1677e5a26 | — | |
hash5f96c04e3afae97017b201be112284d2 | — | |
hash695e794631ef130583368770e7b81e98 | — | |
hash73bead922109a61e5f9f85771a7812c5 | — | |
hash776dfd3df9c04bb9fcdd6c1880c3761a | — | |
hash83601c3d4ed28e8d2be1b99beb8ec18c | — | |
hash87603ea025623b19954e460add532048 | — | |
hash8f4e8b680d3e8d3f5ac39bd72882f713 | — | |
hash999a63730c9634481d1d76955a2e76a8 | — | |
hash9a9ccd8b0e5d05f4ee77667b024844db | — | |
hasha40d3aeb0dae5b00bdb3a517f3135bbb | — | |
hasha85a5bfdcb7c65ab93043b8cf9e20065 | — | |
hashb32810973132d11afd61ccee222bbb79 | — | |
hashbd05fcf80e493cf9aa71ec510319469d | — | |
hashedff4f58722c93d7c09ed71899416396 | — | |
hashb12b5720404e3d8794d72af064939dd953b6a8e0 | — | |
hashce1349eb9d4b2025d1a0dde651a690c7a471c5b0 | — | |
hashd27fc9abbeccb60906d22906ef9a73bd05da2b7a | — | |
hashd497271a32633ddb4f56d548a13fefdab864b6e2 | — | |
hash3cbd65ae3ff5039324b03a66947a1d1b808ea5ddb09da917ed8f1323c34e80f7 | — | |
hash5b95e1d05d913676e9ebbd897a403ddfa6476524651a038d08ecebde29159b9a | — | |
hash7f53fade6f3942f710b230d52a574fc6066ea282e739e417ca039800dc1bb08e | — | |
hash8d08136a1964c72b6b450b11d9bf2b3d3d289c26dfadfc9f021114eac2cea1ca | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://fileget.loseyourip.com/obs-studio-windows-full/gVOMs5VZ9BtlcaM | — | |
urlhttps://fileget.loseyourip.com/obs-studio-windows-full/gVOMs5VZ9BtlcaM | — | |
urlhttps://www.studioobs.com/ | — |
Threat ID: 6a460e0327e9c7971954d6c2
Added to database: 07/02/2026, 07:06:43 UTC
Last enriched: 07/02/2026, 07:21:38 UTC
Last updated: 07/02/2026, 23:46:30 UTC
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.