Fake Download Sites in Ten Languages
Kaspersky has detailed what it calls a massive, multi-domain, multi-language campaign that abuses the legitimate ScreenConnect remote-access tool to plant AsyncRAT on victim machines. The operation is notable less for any single clever trick than for its industrial breadth. Researchers identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic, with some of the sites registered between August 2025 and March 2026. This is not a smash-and-grab. It is a durable distribution network built to catch users in whatever language they search in and whatever popular utility they happen to want.
The lures are ordinary software people download every day. The fake installers masquerade as OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others, the kind of free tools an employee might grab without filing a ticket. "The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages," Kaspersky wrote, describing sites polished enough to pass a casual glance. For enterprises, the uncomfortable part is that the initial mistake looks entirely routine. Someone needs a screen recorder, searches for it, clicks the top result, and installs what appears to be exactly what they wanted.
How the Infection Chain Works
The technical chain is a clinic in living-off-trusted-components. "The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library," said Kaspersky researcher Denis Kulik. That signed binary is the key to the deception: it is genuinely Microsoft's, so it sails past naive trust checks, and when it runs it loads the attacker's DLL through side-loading. The rogue library quietly deploys the ScreenConnect service and waits, giving the operators a legitimate remote-management agent as their foothold rather than a piece of obvious malware that endpoint tools are trained to flag.
From there the chain deepens. A PowerShell script reads a file named secret_bytes.txt, extracts the AsyncRAT module, and runs it using process hollowing, injecting the payload into the memory of a legitimate process to stay hidden. Persistence comes from a scheduled task, reportedly named MasterPackager.Updater, that fires every couple of minutes, and the operators layer in UAC bypass and Microsoft Defender exclusions to smooth the path. "This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations," Kaspersky noted, underscoring that this is not purely a consumer nuisance.
Living Off a Legitimate RMM Tool
Using ScreenConnect as the beachhead is a deliberate evasion choice. Remote monitoring and management tools are legitimate software that thousands of IT departments run intentionally, which means their presence on a machine and their network traffic are frequently allowlisted, tolerated, or simply invisible to defenders. An attacker who installs a real RMM agent inherits all of that trust. The connection back to the operator looks like remote support, the process is signed and reputable, and the malicious behavior hides inside a category of tooling that security teams are reluctant to block outright because doing so breaks their own workflows.
That is why RMM abuse has become such a durable technique across the criminal ecosystem, from initial-access brokers to full ransomware crews. In this campaign the RMM agent is the patient, stealthy layer, and AsyncRAT is the flexible remote-access trojan that gives hands-on control for credential theft, further payload delivery, or staging. The pairing lets the operators keep a quiet, trusted presence for the long game while retaining a noisier tool for active operations. Enterprises that only hunt for classic malware signatures will miss the part of this chain that matters most, because the most powerful component is a product they might legitimately license themselves.
The SEO Poisoning Playbook
Delivery is where the campaign's scale pays off. Rather than relying on email lures, the operators leverage search engine optimization to push their fraudulent sites to the top of results in engines like Google and Bing. When a user searches for a common utility, the poisoned page is waiting at the top of the list, wearing the branding of the real product. Ninety-plus domains across ten languages is precisely the footprint required to dominate search intent globally, and registering many of the sites months in advance let the operators build the ranking and reputation that search algorithms reward before the campaign was widely noticed.
SEO poisoning is quietly one of the most effective delivery mechanisms in circulation because it inverts the usual defensive assumption. Security awareness training conditions users to distrust unexpected emails and unsolicited links, but a top search result for software they deliberately went looking for triggers none of those instincts. The user initiated the interaction, the site looks authoritative, and the download feels earned. Defeating this requires controls that do not depend on user suspicion: application allowlisting, curated software portals, and blocking the installation of unsanctioned tools, so that a poisoned search result never becomes an executed installer in the first place.
Detection, Defense, and Why RMM Abuse Keeps Winning
Kaspersky's write-up gives responders concrete artifacts to work from: the rogue install.res.1033.dll side-loaded by a signed Microsoft binary, the secret_bytes.txt payload file, the MasterPackager.Updater scheduled task, and a command server at mora1987.work.gd. Beyond those specific indicators, the durable defense is behavioral. Alert when a signed binary side-loads an unexpected DLL, when an RMM agent appears outside a sanctioned deployment, when Defender exclusions are added programmatically, or when scheduled tasks are created that beacon on a tight interval. Those patterns catch the technique even as the domains and file names rotate, which they inevitably will.
The strategic point is that this campaign wins by hiding inside legitimacy at every layer: a real Microsoft binary, a real remote-management tool, and real search engines doing exactly what they are designed to do. Signature-based defense and user vigilance both assume the malicious thing looks malicious, and here almost nothing does until process hollowing fires deep in the chain. Enterprises that want to blunt this class of attack should govern which software can be installed, monitor for unauthorized RMM agents as a standing detection, and treat the top of a search page with the same skepticism they already apply to the inbox. The lure has simply moved from email to the search bar.



