AsyncRAT rides ScreenConnect

AsyncRAT rides ScreenConnect: what’s going on?

Researchers detail a campaign abusing ConnectWise ScreenConnect to deploy AsyncRAT and pinch credentials and crypto. Attackers either hijack a ScreenConnect session or lure victims with trojanised installers in phishing emails. Once in, they run a layered VBScript + PowerShell loader that fetches two payloads (“logs.ldk” and “logs.ldr”), sets up persistence via a fake “Skype Updater” scheduled task, and ultimately launches AsyncRAT (“AsyncClient.exe”) in memory. AsyncRAT logs keystrokes, steals browser passwords, fingerprints the system, and hunts for desktop and extension-based cryptocurrency wallets across Chrome, Edge, Brave, Opera and Firefox. Stolen data is sent to a duckdns command-and-control over TCP, with configuration sometimes pulled from Pastebin. The piece frames this as another reminder that fileless techniques and living-off-the-land tooling make detection harder—and urges rapid hardening of remote access tools, phishing defences, and endpoint controls. (Published 11 September 2025.)

Cybercriminals have found a cheeky new trick: use ConnectWise ScreenConnect—the remote support tool many firms trust—to sneak in AsyncRAT, then help themselves to passwords and even crypto. Not ideal.

How the attack works
It starts with a dodgy ScreenConnect installer (usually sent via a “very important finance document” email). Once run, a scripted loader pulls extra bits from the internet, sets a pretend “Skype Updater” task to stay put, and spins up AsyncRAT largely in memory—so there’s little on disk for traditional AV to spot.

Why AsyncRAT is a pain
It can record keystrokes, nick saved browser credentials, profile your device, and rummage for wallet apps and extensions. It talks to a remote server for commands and exfiltration, keeping the whole caper tidy for the attackers.

What organisations should do now
• Lock down ScreenConnect (patch, strong auth, restrict who can log in, monitor sessions).
• Block the phish (email security, user training, sandbox risky attachments).
• Harden endpoints (EDR with script/PowerShell monitoring; watch for suspicious scheduled tasks).
• Protect browsers and wallets (disable needless extensions, enforce password managers, consider hardware wallets).
Bottom line: Treat remote support tools like crown-jewel assets. If you must open the door, at least keep the chain on.