Fake Software Downloads Push ScreenConnect and AsyncRAT

Brendan Smith
Brendan Smith - Cybersecurity Analyst
7 Min Read
Fake software download page leading to a ScreenConnect session and AsyncRAT warning.
Fake download sites can turn a routine Windows installer search into a ScreenConnect and AsyncRAT infection chain.

Kaspersky researchers have tied a fake software download campaign to more than 90 spoofed domains that imitate popular utilities such as OBS Studio, DNS Jumper, DS4Windows, Bandicam and other freeware. The sites deliver archives that appear to contain normal installers, but the chain can install ScreenConnect and then deploy AsyncRAT on the Windows device.

The important point is not that ScreenConnect itself is malware. It is a legitimate remote support tool. The risk comes from a fake download workflow that turns a trusted remote access product into a foothold, then follows it with a remote access trojan. If you recently installed software from a search result instead of the vendor’s official site, this is the kind of chain worth checking for.

Who is affected

The campaign targets people looking for Windows downloads through search. Kaspersky says the spoofed pages were localized across multiple languages, including English, Russian and Chinese, with some pages also translated into German, French, Spanish, Arabic and other languages. That makes the campaign broader than a single brand impersonation or one regional lure.

Observed item Why it matters
Fake download pages for OBS Studio, DNS Jumper, DS4Windows, Bandicam and other utilities The lure matches normal user searches for free Windows tools.
Bundled install.exe and rogue install.res.1033.dll The archive uses a legitimate signed Microsoft binary alongside a malicious DLL-loading path.
ScreenConnect remote session A legitimate support tool can become attacker-controlled when it arrives from a fake installer.
AsyncRAT payload The final malware can give attackers remote control, data access and persistence options.

How the fake download chain works

The attack starts with search visibility. A user searches for a common tool, opens a convincing download page and receives an archive. Inside, a legitimate signed executable sits next to a rogue DLL. When the archive is run, the DLL-loading behavior starts the malicious chain, which leads to a ScreenConnect session and then AsyncRAT delivery.

This matters because the visible installation may not look like a classic malicious program. A remote support client can seem administrative or harmless, and security prompts may name a legitimate vendor. The better question is how it arrived: if ScreenConnect appeared after a freeware download, cracked tool, driver utility, codec, game controller helper or screen recorder installer, treat it as suspicious until proven otherwise.

What to check on a Windows PC

  1. Review the exact download source. Check browser history and the downloaded archive name. If the page was not the official vendor domain, do not run the file again.
  2. Look for ScreenConnect or unfamiliar remote support clients. Check installed apps, services, startup entries and recent program folders. Do not assume a remote access tool is safe just because it is signed.
  3. Inspect the archive contents. Kaspersky highlights the combination of install.exe with install.res.1033.dll. A DLL next to a generic installer is a strong reason to stop and scan.
  4. Disconnect suspicious remote access. If a remote session is active or an unknown support client keeps reconnecting, disconnect the network and remove the client through a controlled cleanup process.
  5. Scan for follow-on malware. AsyncRAT is the final concern, so check for persistence, startup tasks, new user-profile files, browser/session theft risk and outbound connections.
  6. Change passwords from a clean device. If the fake installer ran, rotate important passwords and revoke active sessions, especially for email, banking, cloud storage, gaming and work accounts.

If the file already ran, removing only the visible installer is not enough. A loader, service, scheduled task, remote support client or RAT component may remain after the first cleanup pass. Run a full Gridinsoft Anti-Malware scan, remove detections, reboot and scan again if remote-access alerts, unknown startup entries or outbound traffic return.

Check a PC after a fake software download

If the page or email made you download an invoice, coupon, tracking app, browser extension, or support tool, scan the PC before opening it again or logging into sensitive accounts.

Scan for leftovers

How to avoid this specific trap

For popular Windows utilities, use the vendor’s official domain or a trusted store link rather than an ad, mirror, reupload site or “free download center.” Be extra cautious when the page offers a single archive for unrelated tools, promises a faster installer, or uses generic copy such as “safe and easy downloads” without a clear publisher identity.

Security teams should also watch for remote support tools installed outside approved channels. A legitimate ScreenConnect deployment should have a known owner, ticket, installer source and management policy. A one-off ScreenConnect client installed from a user’s Downloads folder is a different signal.

FAQ

Is ScreenConnect malware?

No. ScreenConnect is legitimate remote support software. In this campaign, attackers abuse the installation path by delivering it from spoofed software download sites and then using it as part of an AsyncRAT infection chain.

What should I do if I installed OBS, DNS Jumper, DS4Windows or Bandicam from a search result?

Verify the domain you used, uninstall anything suspicious, scan the archive and the device, and change passwords from a clean device if the installer ran. Reinstall the tool only from the official vendor source.

Why does a signed installer still matter?

A signed executable can be abused when it loads a malicious file placed next to it. The signature does not make the whole archive trustworthy.

References

  1. Kaspersky Global Research and Analysis Team. “How a single ScreenConnect incident exposed a massive campaign.” Securelist, published July 1, 2026, accessed July 1, 2026. https://securelist.com/the-soc-files-screenconnect-campaign-with-asyncrat/120472/
  2. ConnectWise. “Uninstall an access agent.” ConnectWise ScreenConnect documentation, accessed July 1, 2026. https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/Get_started/Host_client/View_menu/Uninstall_an_access_agent
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?