AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories

Sept. 19, 2025, 6:42 p.m.

Description

This intelligence report details a sophisticated attack campaign leveraging trojanized ConnectWise ScreenConnect installers to deliver AsyncRAT payloads. Attackers use open directories as staging points, blending legitimate remote management software abuse with custom loaders and scripts. The campaign employs modular payload staging, native injection techniques, and extensive port/TLS manipulation to maintain resilient command and control infrastructure. Multiple hosts were identified serving similar malware packages, with evidence of payload repackaging and infrastructure rotation to evade detection. The attackers utilize dual execution pathways, aggressive persistence mechanisms, and multi-stage redirect chains to ensure successful compromise across diverse environments.

External References

https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns#ConnectWise_ScreenConnect_Network_Observables_and_Indicators_of_Compromise_IOCs
https://otx.alienvault.com/pulse/68cd7f421874e12c34532ccf
Tags
obfuscation
screenconnect
phishing
persistence
asyncrat
remote access trojan
c2 infrastructure
open directories
CVE-2025-3935
powershell rat
2025-09-19
payload staging

Date

  • Created: Sept. 19, 2025, 4:05 p.m.
  • Published: Sept. 19, 2025, 4:05 p.m.
  • Modified: Sept. 19, 2025, 6:42 p.m.

Attack Patterns

  • PowerShell RAT
  • AsyncRAT

Additional Informations

  • Technology
  • Telecommunications
  • United States of America