SECURELIST
The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
HIGH RAT freeware-masquerading legitimate-tool-abuse Windows
Strategic summary
The report reveals a large-scale campaign where attackers abuse the legitimate remote access tool ScreenConnect to distribute AsyncRAT malware. Malicious installers are disguised as popular freeware applications like OBS Studio and Bandicam, hosted on over 90 spoofed websites across 10 languages. These installers bundle a signed Microsoft executable to bypass security and deploy the remote access trojan. The campaign highlights how trusted tools can be weaponized for stealthy system compromise and data theft.
Key findings
- Threat actors exploit the legitimate remote monitoring tool ScreenConnect to drop AsyncRAT payloads, blending into normal IT environments.
- The campaign leverages over 90 spoofed domains across 10 languages, distributing fake installers for well-known software like OBS Studio, DNS Jumper, and Bandicam.
- Malicious archives contain a valid, digitally signed Microsoft executable (install.exe) alongside the malware, evading detection by security software.
- The attack chain involves disguised freeware downloads that ultimately install AsyncRAT, enabling unauthorized remote access, data exfiltration, and lateral movement.
- This campaign demonstrates a growing trend of abusing legitimate tools and software distribution channels to proliferate remote access trojans.
Relevance for you
Threat actors distribute manipulated ScreenConnect archives disguised as legitimate freeware utilities (OBS Studio, DS4Windows, DNS Jumper, Glary Utilities) to gain access to enterprise-wide systems.
Risk score
20
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.10
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational
MITRE ATT&CK mapping
2 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1055.012 | Technique T1055.012 explicitly referenced in source: Securelist | high | primary | |
| T1055 | Technique T1055 explicitly referenced in source: Securelist | high | primary |