🟠 High  |  Source: The Hacker News


Attackers are using SEO poisoning to push fake software download sites that serve malicious installers disguised as legitimate tools such as OBS Studio and Bandicam. Once a victim runs the installer, ScreenConnect is used to establish remote access before deploying AsyncRAT, a remote access trojan capable of data theft and persistent control. The campaign is described as large-scale and multilingual, significantly widening the potential victim pool.

Security Architect’s Take: Review endpoint and cloud workstation policies to block unauthorised remote access tools such as ScreenConnect, and ensure application allowlisting prevents execution of unsigned or unexpected installer binaries. Additionally, audit DNS and web filtering controls to detect and block traffic to known SEO-poisoned domains distributing malicious software.

Original advisory: SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT