Skip to main content

Kaspersky warns of a large-scale сampaign using fake free software to deploy a RAT via ScreenConnect

July 1, 2026

A remote admin tool ScreenConnect is being distributed through fake websites designed to mimic the official pages of well-known software products. In total, researchers identified more than 90 domains spanning 10 languages, including English, Arabic, Spanish, Chinese, German, Portuguese, and Russian, enabling the attackers to reach a wide range of victims worldwide. The campaign targets both individual users and organizations using Windows.

After detecting an incident through its Managed Detection and Response, Kaspersky uncovered a large-scale campaign in which attackers used fake websites to spread installer archives disguised as popular software, including OBS Studio, DNS Jumper, DS4Windows, Glary Utilities and Bandicam. To drive traffic to these pages, the threat actor also used search engine optimization techniques to place them high in search results. 

Across more than 90 identified fraudulent software sites, the same tactic was observed: victims who downloaded what appeared to be legitimate software instead received a hidden ScreenConnect remote administration tool, which gave the attackers persistent access to compromised devices and allowed them to deploy AsyncRAT, an open-source trojan capable of giving them full control over infected systems. Domain registrations linked to this campaign peaked in February 2026; in 2025, the same attacker had used fake websites to disguise malicious installers as games.

Example of a website used by attackers to deliver ScreenConnectExample of a website used by attackers to deliver ScreenConnect

Infection occurs through malicious archives containing a legitimate, signed Microsoft file, install.exe, alongside the install.res.1033.dll library. The DLL is loaded onto the device via a DLL sideloading technique and deploys a ScreenConnect service that awaits further instructions from the attackers.

“The campaign targets both users downloading free utilities from the internet and corporate networks, where remote access tools are often allowlisted and granted elevated privileges. Its danger lies in its potential to facilitate large-scale credential theft and unauthorized access to systems, with the stolen data typically later resold on dark web forums," says Denis Kulik, lead SOC Analyst at Kaspersky.

The full report is available on Securelist.com

To mitigate the risks associated with this threat, Kaspersky experts recommends that businesses:

  • Enforce strict software installation controls (application allowlisting, blocking MSI package installations from untrusted sources).

  • Continuously monitor for new remote administration services and scheduled tasks.

  • Filter outbound traffic to unknown domains and IP addresses.

  • Keep your employees informed about relevant threats. Kaspersky Automated Security Awareness Platform helps cultivate cyber-savvy behavior, including safe downloading practices.

  • Verify the authenticity of software sources.

  • Augment existing security controls with human-led detection and global threat intelligence through solutions like Kaspersky Managed Detection and Response (MDR), which offers 24/7 monitoring, detection, investigation and rapid response to sophisticated cyberattacks

  • Monitor credentials for signs of compromise to mitigate risks, as a compromised account or system access can serve as a vector for further attacks on the organization. Kaspersky Digital Footprint Intelligence provides continuous monitoring across open and dark web sources, enabling timely response to potential threats.

Kaspersky experts also recommend users to follow this advice:

  • Be cautious with downloads. Only download software and media from reputable sources. Malicious software can be bundled with legitimate software, especially if downloaded from dubious websites. 

  • Use a strong security solution on all devices, such as Kaspersky Premium. It will warn you about potential threats and prevent infection.

  • Enable multi-factor authentication and monitor accounts: Activate 2FA on IDs and financial apps and regularly review statements for unauthorized activity.

  • Check the authenticity of websites. Double-check URL formats and organizations name spellings.


Kaspersky warns of a large-scale сampaign using fake free software to deploy a RAT via ScreenConnect

A remote admin tool ScreenConnect is being distributed through fake websites designed to mimic the official pages of well-known software products. In total, researchers identified more than 90 domains spanning 10 languages, including English, Arabic, Spanish, Chinese, German, Portuguese, and Russian, enabling the attackers to reach a wide range of victims worldwide. The campaign targets both individual users and organizations using Windows.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases