Weaponized ScreenConnect App Spreads AsyncRAT and PowerShell RAT

Remote Monitoring and Management tools such as ConnectWise ScreenConnect have earned a reputation for simplifying IT administration, but they have also drawn the attention of sophisticated attackers.

By abusing ScreenConnect’s trusted installation footprint and deep system privileges, adversaries are now trojanizing installers to deploy dual Remote Access Trojans (RATs)—AsyncRAT and a custom PowerShell RAT—against U.S. organizations.

This emerging threat demonstrates how commodity RATs can be masked within legitimate software channels to achieve stealthy, long-term access.

Recent investigations reveal a reusable infrastructure pattern in which trojanized ScreenConnect installers are hosted in open directories and fetch payloads via dynamic /Bin/ paths.

At least eight infrastructure hosts (for example, 176.65.139[.]119, 45.74.16[.]71, and 164.68.120[.]30) expose installers named logs.ldk, logs.idr and variations thereof, ranging from 60 KB to 3 MB in size.

When executed, these installers launch a multi-stage sequence: a VBScript or JavaScript dropper invokes a shortcut that executes a PowerShell loader (Skype.ps1), which then reconstructs or decodes embedded payload blobs and loads them in memory or via native injection using libPK.dll.

The first stage often uses a ClickOnce-style installer retrieved from a /Bin/ directory, blending social engineering lures—such as fake IRS or Zoom update pages—with trusted ScreenConnect branding.

Collectively, these incidents underscored ScreenConnect’s role as both a malware delivery vector and high-value supply chain target.

This two-pronged RAT delivery strategy ensures attackers maintain a foothold even if one payload is neutralized.

Evasive Tradecraft

The dual-RAT approach observed across multiple hosts leverages execution pathways that adapt to host defenses.

On systems with script-based scanning, Skype.ps1 will load downstream modules directly into memory via .NET’s Assembly.Load, bypassing on-disk artifacts.

On unprotected or AV-absent endpoints, the loader instead invokes libPK.dll’s Execute export to needle native Windows binaries like AppLaunch.exe, embedding the RAT in a trusted process.

Persistence is achieved through scheduled tasks—named SystemInstallTask or 3losh—configured to run as frequently as every two minutes.

At least eight infrastructure hosts (for example, 176.65.139[.]119, 45.74.16[.]71, and 164.68.120[.]30) expose installers named logs.ldk, logs.idr and variations thereof, ranging from 60 KB to 3 MB in size.

Network communications for AsyncRAT span both standard ports (21, 80, 443) and ephemeral high ports (30,000–60,000), often wrapped in TLS to evade inspection.

Frequent repacking of ScreenConnect client executables and dynamic domain rotation further obscure static detection, while the recurring /Bin/ URL pattern has been observed in at least eight related phishing campaigns since 2024.

Mitigations

Defenders must shift from hash-based detections toward behavior and tradecraft-focused controls.

Strict allowlisting of RMM installers—validating signer metadata and using out-of-band vendor checks—can prevent trojanized binaries from executing.

Proxy and IDS systems should flag unusual Content-Type responses for /Bin/ downloads and ClickOnce URLs. Endpoint security platforms need custom rules for Add-Type runtime compilation, in-memory Assembly.Load, and native injection via DLL exports.

Execution from publicly writable locations such as C:\Users\Public should be blocked or tightly monitored, and AppLocker or Device Guard policies enforced to restrict legacy scripting hosts.

Proactive hunting should focus on indicators like Ab.vbs/Ab.js droppers, Skype.ps1 loaders, libPK.dll exports, and logs.* payload containers.

Additionally, coordinating takedowns of open directories and phishing domains with hosting providers and CERTs can disrupt attacker infrastructure.

In summary, weaponized ScreenConnect installers now serve as a dual-RAT delivery mechanism, combining trusted RMM software abuse with adaptive payload staging and evasive network tradecraft.

Organizations must adopt layered defenses—behavioral EDR, TLS inspection, stringent RMM installer controls, and proactive hunting—to outmaneuver this supply-chain risk and prevent stealthy intrusions. Continuous monitoring of /Bin/ patterns and modular payload containers will be essential to detect and disrupt these evolving campaigns.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.