Kaspersky MDR investigated an alert flagging suspicious PowerShell and VBS scripts spawned by a ScreenConnect process, which turned into a large-scale campaign. securelist
![]()
Infection chain:
- Victim downloads a fake "OBS Studio" installer from a typosquatted site (studioobs[.]com), reached via search engine results.
- Archive contains a legit MS-signed install.exe + malicious install.res.1033.dll, loaded via DLL sideloading.
- DLL silently installs ScreenConnect (disguised as vcredist_x64.dll MSI) alongside the real requested software, so the user isn't suspicious.
- PowerShell script sets Defender exclusions on all drives + RegAsm.exe, disables UAC prompts.
- VBS/PS chain decodes an XOR-obfuscated (0xA7 key, bit-reversed) payload from secret_bytes.txt, reflectively loads it, and process-hollows into RegAsm.exe (T1055.012) — deploying AsyncRAT.
- Persistence via a scheduled task (MasterPackager.Updater) re-running the VBS every 2 minutes.
Scale: Pivoting off the shared install.exe, Kaspersky found the same technique impersonating DS4Windows, DNS Jumper, Glary Utilities, Process Hacker, Bandicam and others — over 90 domains across ~10 languages, heavily SEO-boosted to rank at the top of search results. Two IP clusters identified: 162.216.241[.]242/198.23.185[.]81 (US, Dynu/NOHAVPS) and 2.59.134[.]97 (Germany, dataforest GmbH). Campaign appears active Oct 2025–Mar 2026, though landing pages are still live. securelist
Goal assessed: mass credential theft / initial access for resale.
Detections/hunts mentioned: Sigma rules for ScreenConnect service creation (EventID 4697) and anomalous child processes from ScreenConnect binaries; Kaspersky TIP hunting rules suspicious_assembly_loading_into_powershell_via_reflection_amsi, xored_powershell_command_amsi, scheduled_task_create_from_public_directory_via_schtasks, code_injection_to_unusual_process.
Full IOC list (loader/DLL hashes, C2 domains, 90+ fake domains) is in the original post — worth pulling directly into your OpenTIP checker given the volume: How a single ScreenConnect incident exposed a massive campaign