Ethical Hacking News
A new campaign by cyber threat actors has been discovered using ConnectWise ScreenConnect to deploy an advanced remote access trojan called AsyncRAT, designed to steal sensitive data from compromised hosts. The attack chain leverages legitimate software and exploits PowerShell logic to execute a malicious payload. As fileless malware continues to pose a challenge, cybersecurity experts emphasize the importance of vigilance and proactive measures to prevent similar attacks.
THN reported a new campaign using cyber threat actors to exploit ConnectWise ScreenConnect for AsyncRAT deployment.The attackers used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader to fetch and run obfuscated components from external URLs.The malware collected sensitive data (keystrokes, browser credentials, system fingerprint) and exfiltrated it to a C2 server via TCP socket.Fileless malware poses a significant challenge due to its stealthy nature and reliance on legitimate system tools for execution.Cybersecurity researchers emphasize the importance of vigilance and proactive measures to prevent similar attacks.
THN has broken the news of a new campaign, leveraged by cyber threat actors to exploit legitimate software, ConnectWise ScreenConnect, in order to deploy an advanced remote access trojan called AsyncRAT. This malicious payload was found to be designed specifically with the intention of stealing sensitive data from compromised hosts. According to LevelBlue, a cybersecurity company that documented the attack chain, the attackers used ScreenConnect to gain remote access and then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs.
These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake "Skype Updater" scheduled task. The script was designed to retrieve two external payloads ("logs.ldk" and "logs.ldr") from an attacker-controlled server using PowerShell logic, which led to the execution of a binary called "AsyncClient.exe," the payload that included capabilities to log keystrokes, steal browser credentials, fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions in Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.
The collected information was eventually exfiltrated to a command-and-control (C2) server ("3osch20.duckdns[.]org") over a TCP socket, where the malware beaconsed in order to execute payloads and receive post-exploitation commands. The C2 connection settings were either hard-coded or pulled from a remote Pastebin URL. This new threat highlights the evolving tactics used by cybercriminals to bypass modern security defenses.
The use of fileless malware continues to pose a significant challenge to cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution, as noted by LevelBlue. Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate. As the threat landscape evolves, it is essential to stay informed about emerging threats and their tactics.
In light of this new campaign, cybersecurity researchers emphasize the importance of vigilance and proactive measures to prevent such attacks. By understanding how threat actors exploit legitimate software, individuals and organizations can take steps to protect themselves from similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Slew-of-Stealthy-Threats-How-AsyncRAT-Exploits-ConnectWise-ScreenConnect-to-Steal-Credentials-and-Crypto-ehn.shtml
https://thehackernews.com/2025/09/asyncrat-exploits-connectwise.html
https://cybermaterial.com/asyncrat-uses-screenconnect-exploit/
https://cybersecuritynews.com/hackers-weaponizing-screenconnect/
Published: Thu Sep 11 01:39:28 2025 by llama3.2 3B Q4_K_M
