HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Threat Actors Abuse ScreenConnect Remote Tool in Large‑Scale Spoofed‑Installer Campaign

Kaspersky uncovered a campaign that distributes malicious installers masquerading as popular freeware, using DLL sideloading to deploy the signed ScreenConnect remote‑admin service and an AsyncRAT payload. The abuse highlights gaps in SOC 2 access‑control policies for third‑party utilities.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 securelist.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securelist.com

Threat Actors Abuse ScreenConnect Remote Tool in Large‑Scale Spoofed‑Installer Campaign

What Happened — Kaspersky’s MDR team uncovered a coordinated campaign that distributes malicious installer archives masquerading as popular freeware (e.g., OBS Studio, Bandicam). The archives contain a legitimate Microsoft install.exe bundled with a rogue install.res.1033.dll that sideloads the ScreenConnect remote‑administration service, which then receives commands from an AsyncRAT C2 infrastructure. Over 90 domain names in 10 languages were used to host the payloads.

Why It Matters for Compliance & Audit Readiness

  • The abuse of a signed, allow‑listed remote‑access tool illustrates why SOC 2 Access Control policies must cover both privileged and “utility” applications, not just traditional admin accounts.
  • Continuous monitoring of endpoint and network activity (e.g., unexpected ScreenConnect service launches) provides audit‑ready evidence that controls are operating as intended.
  • Demonstrating a documented process for vetting third‑party software and restricting its execution aligns with the SOC 2 CC6.1 (Logical Access) and CC6.2 (User Access Management) criteria.

Who Is Affected — Enterprises of any size that permit remote‑support utilities, especially those in technology/SaaS, professional services, and media/creative sectors where tools like OBS are common.

Recommended Actions

  • Inventory all remote‑administration utilities and enforce a “least‑privilege” execution policy (e.g., require MFA for service start‑up).
  • Deploy endpoint detection that flags unsigned DLL sideloading and unexpected ScreenConnect processes.
  • Incorporate the detection of spoofed installer domains into your threat‑intelligence feeds and SOC 2 evidence collection.

Source: SecureList – The SOC Files: ScreenConnect masked as freeware

Technical Notes

  • Attack vector: Third‑party dependency abuse → legitimate remote‑admin tool signed with a valid certificate, delivered via spoofed freeware installers.
  • Payload: AsyncRAT (remote access trojan) delivered through DLL sideloading (install.res.1033.dll).
  • Infrastructure: >90 domains, multi‑regional C2 servers (e.g., 162.216.241.242, 198.23.185.81).
  • Indicators of Compromise: Creation of PowerShell/VBS scripts by ScreenConnect, presence of install.res.1033.dll, outbound traffic to known AsyncRAT C2 hosts.
📰 Original Source
https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →