At a glance: Cybercriminals operate over 90 fake domains mimicking popular Windows software and use DLL sideloading with ScreenConnect as a bridge to the AsyncRAT trojan to steal remote access and credentials.
Kaspersky has documented a campaign involving over 90 fraudulent domains that mimic legitimate software download pages. Through manipulated installation files, attackers use DLL sideloading and ScreenConnect deployment to reach the AsyncRAT trojan and thus gain complete system control.
Kaspersky has identified a large-scale infection campaign in which attackers operate websites that mimic official download platforms for well-known software products. The spoofed programs include OBS Studio, DNS Jumper, DS4Windows, Glary Utilities and Bandicam. In total, more than 90 fraudulent domains in ten languages have been identified, including German, English, Spanish and Chinese. The actors use search engine optimization to place these sites prominently in search results. Domain registrations showed a preliminary peak in February 2026.
The infection mechanism uses manipulated archive files containing two components: a legitimate, digitally signed Microsoft file named install.exe and a prepared library install.res.1033.dll. When the fake installation file is executed, the malicious library is loaded in the background via DLL sideloading. This triggers the installation of the ScreenConnect remote management tool, which is typically equipped with elevated privileges on whitelists. The attackers then download the open-source AsyncRAT trojan, which enables complete system control. This approach was already in use in 2025, but was then performed using game installer archives.
After successful compromise, the attackers target credential theft and unauthorized system access. The stolen data is typically resold in darknet forums. The attack model targets both private users who obtain free software from the internet and corporate networks where remote access tools are considered trustworthy.
To mitigate risk, Kaspersky recommends for organizations: controlling software installation via allow-lists, blocking MSI packages from unknown sources, continuously monitoring remote management services and automated system tasks, filtering outbound network traffic to unknown domains on the server side, conducting employee training on cybersecurity risks and scanning systems for compromised credentials. Private users should obtain software exclusively from official manufacturer websites, enable two-factor authentication, verify URLs before downloads, and use active security solutions.
Source: www.it-daily.net · Published July 2, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.