Today's cybersecurity headlines are brought to you by ThreatPerspective

Exploiting the Vulnerabilities of ConnectWise ScreenConnect: The Rise of AsyncRAT

Attackers have successfully exploited the vulnerabilities of ConnectWise ScreenConnect to deploy the AsyncRAT malware, posing significant risks to organizations and individuals who use this software for remote access and support purposes. This article delves into the details of the attack, highlighting the importance of keeping software up-to-date and implementing robust security measures to prevent such incidents.

On September 11, 2025, a new threat emerged in the cyber security world that has sent shockwaves through the industry. Attackers have successfully exploited the vulnerabilities of ConnectWise ScreenConnect to deploy the AsyncRAT malware, posing significant risks to organizations and individuals who use this software for remote access and support purposes.

ConnectWise ScreenConnect is a popular remote desktop and remote support software designed to enable secure, real-time access to computers and devices from anywhere. IT professionals, managed service providers (MSPs), and businesses widely utilize it to troubleshoot, maintain, and remotely manage endpoints. However, the recent attack highlights the importance of keeping this software up-to-date and implementing robust security measures to prevent such incidents.

The attackers exploited a series of vulnerabilities in ConnectWise ScreenConnect, using VBScript/PowerShell loaders to deploy the AsyncRAT malware. The attackers initiated an interactive session through a malicious domain (relay.shipperzone[.]online) linked to unauthorized ScreenConnect deployments. A VBScript triggered PowerShell commands that fetched two payloads, stored them in the public folder, and executed them directly in memory.

The two payloads, logs.ldk and logs.ldr, were downloaded from a remote server. These files were written to the C:\Users\Public\ directory and loaded into memory using reflection. The script converted the first-stage payload (logs.ldk) into a byte array and passed the second (logs.ldr) directly to the Main() method.

The attackers used an obfuscator.dll as the first in-memory stage of the AsyncRAT infection chain, launching execution, setting up persistence via a fake “Skype Updater”, and disabling defenses like AMSI and ETW. The malware includes three core classes to handle initialization, dynamic payload loading, and anti-analysis tactics, ensuring stealth and preparing the system for the main payload.

AsyncClient.exe is the core C2 engine of the AsyncRAT attack chain, decrypting config with AES-256, connecting to C2 servers, and parsing commands via a custom protocol. The malware gathers system and security details, monitors user activity with a keylogger, and exfiltrates sensitive data like browser extensions.

The attackers used a fake Skype updater to gain persistence in the infected systems, making it difficult for organizations to detect and eradicate the malware. This is a classic example of fileless malware, which makes detection and defense more challenging due to its reliance on legitimate system tools for execution.

According to LevelBlue researchers, the attackers used VBScript/PowerShell loaders and achieved persistence via a fake Skype updater. The attack highlights the importance of keeping software up-to-date and implementing robust security measures to prevent such incidents.