A sophisticated SEO poisoning campaign has been actively targeting Windows users since at least October 2025, successfully tricking them into downloading malicious software disguised as legitimate applications. This operation, which remained largely undetected for approximately five months, was brought to light in March 2026 by researchers who uncovered its multi-stage infection chain designed to compromise victims’ systems and exfiltrate sensitive data. The campaign utilizes deceptive search engine results to promote fake software download pages, leading unsuspecting users to install trojanized versions of over 25 popular software titles, including VLC Media Player, OBS Studio, and various KMS Tools.
This extensive SEO poisoning campaign employed deceptive tactics to achieve high search engine rankings for fake software download pages. The lure sites were meticulously crafted to appear credible, incorporating fake Schema.org aggregate ratings and hreflang tags for multiple languages to maximize their visibility and appeal to a global audience. Users searching for popular utilities were presented with seemingly legitimate download links, unaware of the hidden malware embedded within the seemingly standard installers.
Unraveling the AsyncRAT SEO Poisoning Campaign
The full scope of this complex operation was revealed in March 2026 through a joint investigation initiated by a notable increase in ScreenConnect-related alerts across various client environments. What initially appeared to be isolated incidents involving a remote management tool was, in fact, a coordinated and sustained attack that had been running for months. The cybercriminals behind the campaign established a robust supporting infrastructure, including three ScreenConnect relay hosts and two distinct payload delivery backends. During the investigation, over 100 malicious files associated with this infrastructure were identified on VirusTotal, underscoring the scale of the operation.
The ultimate payload delivered by this extensive campaign is AsyncRAT, an open-source remote access trojan that has been available since 2019. However, the version utilized in this operation, internally designated as “FlowProxy Monitor V3,” exhibits capabilities far exceeding those of a standard RAT. It incorporates a powerful keylogger, a clipboard monitor, and a cryptocurrency clipper capable of intercepting transactions across 16 different currencies. Furthermore, this malicious build features a dynamic plugin system, allowing attackers to inject additional functionalities directly into the compromised system’s memory at runtime. Notably, the malware includes a geo-fencing mechanism that deliberately avoids targeting cryptocurrency activity from users located within the Middle East, North Africa, and Central Asia, suggesting a calculated approach to maximize profit and minimize detection in specific regions.
The infrastructure supporting the malware distribution has also evolved over the campaign’s duration. In its early stages, malicious payloads were hosted at predictable, static URLs. However, by late January 2026, the operator shifted to a more evasive strategy, implementing a randomized token-based system. This change means that each download link is uniquely generated, rendering traditional URL-based blocking methods ineffective for security measures. The primary delivery backend, identified as fileget[.]loseyourip[.]com, further enhances its deceptive nature by masquerading as a legitimate file-sharing website, while in reality, its sole purpose is to distribute the malicious installers.
Multi-Stage Infection Mechanism Explained
The infection process is initiated the moment a victim executes the downloaded file. The deceptive ZIP archive not only contains a legitimate VLC installer but also a malicious file named `libvlc.dll`. Because `libvlc.dll` is an essential dependency for the VLC Media Player, Windows automatically loads it when the application launches. This allows the attacker’s code to run undetected within the context of a trusted application process, a technique known as DLL sideloading. This method bypasses initial security checks, as the malicious activity appears to originate from a legitimate program.
Once the malicious DLL is active within the compromised system, it proceeds to extract a hidden MSI installer and executes it silently, without any user interaction or notification. This MSI installer then deploys ScreenConnect, a remote access tool, as a Windows service. To further camouflage its presence, this service is masqueraded as the “Microsoft Update Service.” Immediately after installation, the compromised system attempts to establish a connection with the attacker’s designated relay server. From this vantage point, the attacker leverages ScreenConnect to deploy a VBScript. This script is responsible for writing a PowerShell loader and encoded payload files into the `C:UsersPublic` directory. The loader then decrypts these files using a combination of XOR operations and bit reflection techniques. Subsequently, it compiles a .NET injector entirely in memory. This injector utilizes process hollowing to inject AsyncRAT into `RegAsm.exe`, a legitimate Windows binary. This in-memory process leaves no physical file on the disk, making it exceptionally difficult for traditional file-scanning security tools to detect.
To ensure the persistence of the infection even after system reboots or locked sessions, the campaign employs three distinct persistence mechanisms. The first involves a Windows service configured to start automatically upon system startup. The second is a Windows Authentication Package, designed to load into the Local Security Authority Subsystem Service (LSASS) before any user logs in, granting it privileged access. The third mechanism is a scheduled task, named “MasterPackager.Updater,” which is configured to re-execute the malicious VBScript every two minutes, ensuring continuous operation of the backdoor. Users are strongly advised to always download software directly from official vendor websites and to treat any unexpected elevation prompts during installation as a significant warning sign. Security teams should maintain vigilance for unauthorized ScreenConnect deployments, monitor for process hollowing events involving `RegAsm.exe`, and look for the presence of the mutex named “confing_me_s” as critical host-based indicators. Furthermore, it is highly recommended to block known lure domains, relay hosts, and AsyncRAT command-and-control (C2) addresses, which are available in the provided indicators of compromise.