Skip to content
Auto-CTI
Back to all deep dives
SECURELIST

The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign

HIGH RAT freeware-masquerading legitimate-tool-abuse Windows

Strategic summary

The report reveals a large-scale campaign where attackers abuse the legitimate remote access tool ScreenConnect to distribute AsyncRAT malware. Malicious installers are disguised as popular freeware applications like OBS Studio and Bandicam, hosted on over 90 spoofed websites across 10 languages. These installers bundle a signed Microsoft executable to bypass security and deploy the remote access trojan. The campaign highlights how trusted tools can be weaponized for stealthy system compromise and data theft.

Key findings

  • Threat actors exploit the legitimate remote monitoring tool ScreenConnect to drop AsyncRAT payloads, blending into normal IT environments.
  • The campaign leverages over 90 spoofed domains across 10 languages, distributing fake installers for well-known software like OBS Studio, DNS Jumper, and Bandicam.
  • Malicious archives contain a valid, digitally signed Microsoft executable (install.exe) alongside the malware, evading detection by security software.
  • The attack chain involves disguised freeware downloads that ultimately install AsyncRAT, enabling unauthorized remote access, data exfiltration, and lateral movement.
  • This campaign demonstrates a growing trend of abusing legitimate tools and software distribution channels to proliferate remote access trojans.

Relevance for you

Threat actors distribute manipulated ScreenConnect archives disguised as legitimate freeware utilities (OBS Studio, DS4Windows, DNS Jumper, Glary Utilities) to gain access to enterprise-wide systems.

Risk score

20
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.10
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

2 TTPs
Recon
Resource Dev
Initial Access
Execution
Persistence
Priv. Escal.
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1055.012
Technique T1055.012 explicitly referenced in source: Securelist high primary
T1055
Technique T1055 explicitly referenced in source: Securelist high primary
ESC