Key Summary
- Since October 2025, an unknown threat actor has been running an active SEO poisoning campaign, using impersonation sites of over 25 popular applications to direct victims to malicious installers including VLC Media Player, OBS Studio, KMS Tools, and CrosshairX.
- The campaign uses ScreenConnect, a legitimate remote management tool, to establish initial access and to deliver the eventual AsyncRAT payload.
- The AsyncRAT payload is configured with a cryptocurrency clipper and dynamic plugin system, with a geo-fencing mechanism that deliberately excludes targets across the Middle East, North Africa, and Central Asia.
- Over the campaign’s duration, the operator has continuously refined their infrastructure and transitioned from the use of static download URLs to a randomised token-based delivery mechanism.
Introduction
The Security Operations Centres (SOC) at FOX-IT and NCC Group are continuously monitoring our clients' networks for signs of potential threats. In March 2026, an increase in ScreenConnect-related alerts across multiple client environments was flagged by the SOC and prompted a joint investigation by the SOC and NCC Group’s Cyber Intelligence and Response (CIR) team, which incorporates Digital Forensics and Incident Response (DFIR), Threat Intelligence, Threat Hunting and Detection Engineering. What was first suspected to be a cluster of alerts linked only by the common deployment of ScreenConnect, revealed an active, multistage campaign that has been operating undetected for at least 5 months.
Operated by an unknown threat actor, the campaign uses SEO poisoning to direct victims to fake download sites that impersonate popular free software. At the time of this analysis, impersonations of at least 25 software titles were identified across the operator’s infrastructure, including productivity tools, system utilities and video games. The full list of software has been provided in the Appendix. Alongside the expected software, victims unknowingly downloaded a ScreenConnect client, thereby granting the operator remote access to their devices. In the cases examined, this access was subsequently used to deploy AsyncRAT, an open-source remote administration tool turned remote access trojan. Most notable in this campaign is the RAT’s added cryptocurrency clipper, dynamic plugin system capable of loading arbitrary capabilities at runtime, and a geo-fencing mechanism that deliberately excludes targets across the Middle East, North Africa, and Central Asia.
The infrastructure supporting this campaign spans at least three ScreenConnect relay hosts and two payload delivery backends, with over 100 malicious files associated with them identified on VirusTotal at the time of investigation. The earliest registration of this infrastructure was in October 2025, with the first payload associated with it being submitted to VirusTotal a month later in November. From the initial registration to now, the operator has continuously refined their delivery infrastructure, evolving from static download URLs to a randomised, token-based delivery mechanism.
This blog documents the full attack chain, from the initial SEO lure through to the deployment of AsyncRAT and provides indicators of compromise for each stage.
Attack Chain Overview
FIG 1
In the case documented in this blog, the attack chain, as shown in figure 1 begins with SEO poisoning, the victim searches for a VLC Media Player download and is directed to vlc-media[.]com, an impersonation site positioned to appear as one of the top searches. The unsuspecting victim clicks the download button which retrieves a malicious ZIP archive from the file host, fileget[.]loseyourip[.]com, containing what appears to the victim to be a legitimate VLC package.
The victim’s execution of the VLC executable sideloads a malicious DLL which extracts and silently executes a hidden MSI installer. This MSI installer installs and executes ScreenConnect, a legitimate remote management tool, giving the attacker a foothold on the victim’s machine.
The attacker then leverages ScreenConnect to introduce a VBScript onto the machine, which drops a collection of files and executes a PowerShell script. This script ultimately results in the deployment of an AsyncRAT executable injected within a legitimate Windows process, establishing a covert remote access channel for the attacker.
Initial Access: SEO Lure Infrastructure
In the observed cases, initial access was achieved through SEO poisoning (T1608.006) - a technique where attackers manipulate search engine rankings to ensure their own sites appear as top results, attracting victims searching for legitimate software. The sites are designed to present as legitimate web pages which in most cases deliver a genuine copy of the impersonated software alongside a malicious payload. This ensures that the victim’s suspicions are not elevated, once the file is downloaded. In the case examined below, the victim was directed to vlc-media[.]com, a fake software site impersonating VLC Media Player, shown in figure 2 below.
FIG 2
After clicking the download button, vlc-3.0.23-win64-setup.zip was silently retrieved from hxxps[://]fileget[.]loseyourip[.]com/vlc/xfY0zYTXeQHXmxU, a URL that remained active at the time of our investigation and reporting. The archive contained both a legitimate VLC installer and additional malicious components that are documented in detail in subsequent sections.
Both vlc-media[.]com and fileget[.]loseyourip[.]com form part of a broader infrastructure network that we mapped in detail through case analysis and infrastructure pivoting. In addition to vlc-media[.]com, confirmed lure sites include studio-obs[.]net, kms-tools[.]com, and crosshairx[.]pro, collectively impersonating VLC Media Player, OBS Studio, KMS Tools, and CrosshairX. The following analysis covers the lure sites, delivery mechanism, and relay infrastructure that collectively form this operation.
Analysis of the lure sites showed that they were all optimised for search engine visibility, however the specific tools and techniques employed varied across all sites. The sites were built with hreflang tags targeting multiple language regions and embedded fake Schema.org aggregate ratings designed to be displayed directly on a search results page and appear more credible, examples of which are shown in figure 3 below.
FIG 3