Posted in

SEO Poisoning Campaign Impersonates 25+ Apps to Deliver AsyncRAT

by Rakesh0

A long-running SEO poisoning campaign has been targeting Windows users by impersonating popular software downloads and distributing AsyncRAT malware. Active since October 2025, the operation quietly pushed trojanized installers for more than 25 well-known applications. ⚠️

The campaign remained undetected for months before researchers uncovered its multi-stage infection chain in March 2026.

How the Campaign Works

Attackers manipulate search engine rankings to place fake download sites above legitimate results. Victims searching for software unknowingly download malicious packages.

Targeted Applications

The campaign impersonates tools such as:

  • VLC Media Player
  • OBS Studio
  • KMS Tools
  • CrosshairX

Each download archive contains:

  • Legitimate installer
  • Malicious DLL component
  • Hidden payload

Because the real application launches normally, users rarely suspect compromise.

Research Discovery

Investigators from NCC Group and Fox-IT uncovered the campaign after detecting unusual remote tool activity across multiple environments.

Their analysis revealed:

  • Three relay hosts
  • Two payload delivery servers
  • Over 100 malicious files
  • Multi-language SEO lure pages

Final Payload: AsyncRAT

The campaign delivers a customized build of AsyncRAT with expanded capabilities.

Malware Features

  • Keylogging
  • Clipboard monitoring
  • Cryptocurrency clipper (16 currencies)
  • Plugin-based modular extensions
  • Remote command execution
  • Data exfiltration

The build includes geo-fencing that disables crypto theft in specific regions.

Multi-Stage Infection Chain

Step-by-Step Execution

  1. User downloads ZIP archive
  2. Runs legitimate installer
  3. Malicious DLL sideloaded
  4. Hidden MSI executed silently
  5. Remote access tool installed
  6. PowerShell loader deployed
  7. AsyncRAT injected in memory

This layered approach helps evade detection.

DLL Sideloading Technique

The infection relies on DLL sideloading using a malicious libvlc.dll. When the legitimate application starts, Windows loads the attacker-controlled DLL.

This allows:

  • Execution under trusted process
  • Security tool evasion
  • Silent payload delivery

Remote Access Deployment

The MSI installer deploys ScreenConnect disguised as a system service.

The service connects to attacker-controlled infrastructure and enables:

  • Remote command execution
  • File deployment
  • Persistence setup

Fileless Payload Execution

The malware avoids disk detection by:

  • Writing encrypted payloads
  • Decrypting in memory
  • Compiling injector dynamically
  • Using process hollowing

AsyncRAT is injected into RegAsm.exe, a trusted Windows binary.

Persistence Mechanisms

The campaign establishes multiple persistence methods.

Persistence Techniques

  • Auto-start Windows service
  • LSASS authentication package
  • Scheduled task every two minutes

These mechanisms ensure survival across reboots.

Infrastructure Evolution

Attackers updated delivery infrastructure over time.

Changes Observed

  • Static URLs replaced
  • Token-based download links
  • File-sharing disguise backend
  • Randomized payload distribution

These improvements made blocking more difficult.

Risk Impact Analysis

Risk AreaImpact
Endpoint SecurityRAT installation
CredentialsKeylogging
Crypto AssetsClipboard hijacking
PersistenceMulti-layer survival
DetectionFileless execution

Indicators of Compromise

Security teams should watch for:

  • Unauthorized ScreenConnect services
  • DLL sideloading behavior
  • RegAsm.exe process injection
  • Suspicious scheduled tasks
  • Unknown authentication packages

Mitigation Recommendations

User Protection

  • Download software only from official sites
  • Verify domain authenticity
  • Avoid search-result downloads
  • Check digital signatures

Enterprise Controls

  • Monitor DLL sideloading
  • Block unauthorized remote tools
  • Detect process hollowing
  • Inspect scheduled tasks
  • Monitor LSASS modifications

Key Takeaways

  • SEO poisoning used for malware delivery
  • 25+ apps impersonated
  • DLL sideloading execution
  • AsyncRAT deployed filelessly
  • Multiple persistence mechanisms

Conclusion

This campaign demonstrates how attackers weaponize search engine optimization to distribute malware at scale. By combining trusted software impersonation, DLL sideloading, and fileless execution, the operation evades traditional defenses and maintains long-term access.

Organizations should strengthen:

  • Software download policies
  • Endpoint monitoring
  • Remote tool detection
  • Behavioral analytics

Search-based downloads remain a major attack vector for supply chain-style malware campaigns. 

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *