AsyncRAT Malware Campaign Exploits ConnectWise ScreenConnect

First reported

11.09.2025 09:02

Last updated

📰 1 unique sources, 1 articles

Summary

Hide ▲

A new malware campaign uses ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver AsyncRAT, a remote access trojan (RAT). The attack chain involves a layered VBScript and PowerShell loader that fetches and runs obfuscated components from external URLs. The malware steals sensitive data, including keystrokes, browser credentials, and cryptocurrency wallet information, from compromised hosts. The attackers use trojanized ScreenConnect installers distributed via phishing emails. The payloads are executed through a scheduled task disguised as a 'Skype Updater' to maintain persistence. The stolen data is exfiltrated to a command-and-control (C2) server over a TCP socket.

Timeline

11.09.2025 09:02 📰 1 articles

AsyncRAT Campaign Exploits ConnectWise ScreenConnect
A new malware campaign uses ConnectWise ScreenConnect to deliver AsyncRAT, a remote access trojan. The attack chain involves a layered VBScript and PowerShell loader that fetches and runs obfuscated components from external URLs. The malware steals sensitive data, including keystrokes, browser credentials, and cryptocurrency wallet information, from compromised hosts. The attackers use trojanized ScreenConnect installers distributed via phishing emails. The payloads are executed through a scheduled task disguised as a 'Skype Updater' to maintain persistence. The stolen data is exfiltrated to a command-and-control (C2) server over a TCP socket.
Show sources

AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
Open in new tab

Information Snippets

ConnectWise ScreenConnect is exploited to deliver AsyncRAT, a remote access trojan.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
The attack chain involves a layered VBScript and PowerShell loader that fetches and runs obfuscated components from external URLs.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
The malware steals keystrokes, browser credentials, and cryptocurrency wallet information.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
The attackers use trojanized ScreenConnect installers distributed via phishing emails.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
The payloads are executed through a scheduled task disguised as a 'Skype Updater' to maintain persistence.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
The stolen data is exfiltrated to a command-and-control (C2) server over a TCP socket.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02
The C2 server is identified as 3osch20.duckdns[.]org.
First reported: 11.09.2025 09:02

📰 1 source, 1 article
Show sources
- AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto — thehackernews.com — 11.09.2025 09:02

Summary

Timeline

AsyncRAT Campaign Exploits ConnectWise ScreenConnect

Information Snippets