Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

How a single ScreenConnect incident exposed a massive campaign

0
Medium
Published: 07/01/2026 (07/01/2026, 16:52:43 UTC)
Source: AlienVault OTX General

Description

A massive campaign distributes malicious installer archives hosted on spoofed websites masquerading as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam. Over 90 domain names localized across 10 languages were discovered. The malicious archives bundle a legitimate Microsoft-signed install.exe binary with a rogue install.res.1033.dll library deployed via DLL sideloading. This installs the ScreenConnect remote access service, which then deploys AsyncRAT payloads through PowerShell and VBS scripts. The threat actors leverage SEO techniques to position fraudulent sites at the top of search engine results, targeting both individual users and corporate networks. The infrastructure spans three IP addresses with domains registered between October 2025 and March 2026, creating a global footprint with multi-language support.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 07:21:38 UTC

Technical Analysis

This campaign leverages malicious installer archives hosted on spoofed websites that mimic legitimate software to trick users into installation. The installers bundle a genuine Microsoft-signed install.exe with a malicious install.res.1033.dll, enabling DLL sideloading to install the ScreenConnect remote access service. This service is then used to deploy AsyncRAT remote access trojans via PowerShell and VBS scripts. The attackers use SEO poisoning and typosquatting to increase visibility of their fake sites in search engine results, facilitating widespread distribution. The campaign infrastructure spans multiple IP addresses and over 90 domains localized in 10 languages, indicating a broad, global targeting effort.

Potential Impact

Successful infection results in installation of a remote access service (ScreenConnect) that enables attackers to deploy AsyncRAT payloads, potentially allowing unauthorized remote control of affected systems. This can lead to data compromise, lateral movement within networks, and further malicious activity. The use of DLL sideloading with a signed binary may bypass some security detections, increasing the risk of stealthy persistence.

Mitigation Recommendations

No official patch or fix is applicable as this is a malware campaign leveraging social engineering and DLL sideloading techniques. Defenders should educate users to avoid downloading software from untrusted or spoofed websites, verify software authenticity, and monitor for signs of ScreenConnect service installations and AsyncRAT activity. Endpoint detection solutions should be tuned to detect DLL sideloading and suspicious PowerShell or VBS script executions. Since this is not a vulnerability in a product but a malware distribution campaign, remediation focuses on user awareness and detection rather than patching.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/"]
Adversary
null
Pulse Id
6a4545dbc77aff75fe16cee7
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domaincorel-draw.net
domainvlc-player.net
domainprocesshacker.net
domainkm-player.com
domaindefender-control.com
domaincrusader-kings.com
domainarma-reforger.com
domainobs-studio.site
domainobs-studio.pro
domainstudio-obs.com
domainstudio-obs.net
domainwinservec.net
domainmora1987.work.gd
domainserverdnsplan.net
domainfree-download.camdvr.org
domainmanagedevice.xyz
domainpingpanl.pro
domainmanageserver.xyz
domainr.servermanagemen.xyz
domainr.manage-server.xyz
domainehostservers.xyz
domaincrosshairx.pro
domaincrosshairx.site
domainfileget.loseyourip.com
domainkm-player.pro
domainkms-tools.com
domainvlc-media.com
domainvlc-media.net
domaindownload-full-version.ooguy.com
domainservermanagemen.xyz
domainantimicrox.net
domainantimicrox.pro
domainapexlegends.org
domainarksurvival-ascended.com
domainbandicam.cc
domainbandicam.io
domainbandizip.net
domainbandizip.pro
domainclair-obscur-33.com
domainclair-obscur-33.town
domaincloudsynn.com
domaincpuz.pro
domaincrosshair-x.com
domaincrosshairx.net
domaincrosshairx2.com
domaincrosshairxv2.com
domaincrusader-kings.church
domaincrystaldiskmark.cc
domaincrystaldiskmark.dev
domaincrystaldiskmark.io
domaincrystaldiskmark.pro
domaindeadreset.com
domaindefendercontrol.download
domaindefendercontrol.org
domaindefendercontrol.pro
domaindns-jumper.com
domaindnsjumper.io
domaindnsjumper.pro
domainds4windows.io
domainds4windows.net
domainds4windows.pro
domainedgeserv.ru
domainelden-ringnightreign.com
domainferdium.pro
domainfernbus-simulator.com
domainglary-utilities.com
domaingom-player.net
domainkms-tools.net
domainlibreoffice.pro
domainlossless-scaling.download
domainlossless-scaling.online
domainlosslessscaling.pro
domainmediaplayerclassic.net
domainmediaplayerclassic.pro
domainmgba.dev
domainmgba.pro
domainmonster-hunterwilds.com
domainovr-advanced-settings.com
domainovr-toolkit.com
domainpingserv.pro
domainprocesshacker.dev
domainprocesshacker.org
domainready-ornot.com
domainsteamtools.cc
domainsteamtools.pro
domainstudio-obs.pro
domainstudioobs.com
domainstudioobs.pro
domaintmod-loader.com
domaintmodloader.download
domaintmodloader.org
domaintmodloader.pro
domainall-toll-free.loseyourip.com
domaintrojan.js.sagent.sb
domainwww.studioobs.com

Ip

ValueDescriptionCopy
ip185.254.97.249
ip2.59.134.97
ip162.216.241.242
ip45.145.41.205
ip198.23.185.81

Hash

ValueDescriptionCopy
hash8e4c57358a66eb14d31abb614ddc68de
hashc2679a152084f3ebdb39aacb6ec6a23c61a46ae6
hash6ed15aec7504081c3e14a9f6064d7b754aa283e4adb1a59edf3beff65369bc55
hash01325880efffec546f59490089a3b415
hash0eee9bad07e22415439e854657fa1366
hash1e6a5c7b620d487d0cfc6874c3b77c90
hash479bd3bb617b39cd4a46d0768a2592d4
hash54025ce2a9405039899fe99a1d77e0bb
hash5b7e1fe55bd7b5ea54bd4ed1677e5a26
hash5f96c04e3afae97017b201be112284d2
hash695e794631ef130583368770e7b81e98
hash73bead922109a61e5f9f85771a7812c5
hash776dfd3df9c04bb9fcdd6c1880c3761a
hash83601c3d4ed28e8d2be1b99beb8ec18c
hash87603ea025623b19954e460add532048
hash8f4e8b680d3e8d3f5ac39bd72882f713
hash999a63730c9634481d1d76955a2e76a8
hash9a9ccd8b0e5d05f4ee77667b024844db
hasha40d3aeb0dae5b00bdb3a517f3135bbb
hasha85a5bfdcb7c65ab93043b8cf9e20065
hashb32810973132d11afd61ccee222bbb79
hashbd05fcf80e493cf9aa71ec510319469d
hashedff4f58722c93d7c09ed71899416396
hashb12b5720404e3d8794d72af064939dd953b6a8e0
hashce1349eb9d4b2025d1a0dde651a690c7a471c5b0
hashd27fc9abbeccb60906d22906ef9a73bd05da2b7a
hashd497271a32633ddb4f56d548a13fefdab864b6e2
hash3cbd65ae3ff5039324b03a66947a1d1b808ea5ddb09da917ed8f1323c34e80f7
hash5b95e1d05d913676e9ebbd897a403ddfa6476524651a038d08ecebde29159b9a
hash7f53fade6f3942f710b230d52a574fc6066ea282e739e417ca039800dc1bb08e
hash8d08136a1964c72b6b450b11d9bf2b3d3d289c26dfadfc9f021114eac2cea1ca

Url

ValueDescriptionCopy
urlhttp://fileget.loseyourip.com/obs-studio-windows-full/gVOMs5VZ9BtlcaM
urlhttps://fileget.loseyourip.com/obs-studio-windows-full/gVOMs5VZ9BtlcaM
urlhttps://www.studioobs.com/

Threat ID: 6a460e0327e9c7971954d6c2

Added to database: 07/02/2026, 07:06:43 UTC

Last enriched: 07/02/2026, 07:21:38 UTC

Last updated: 07/02/2026, 23:46:30 UTC

Views: 31

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses