- Certain threat actors are misusing ConnectWise ScreenConnect, a legitimate remote monitoring tool, to access target systems and deploy Malware.
- Cybersecurity researchers observed attackers delivering AsyncRAT, a remote access trojan, using fileless malware techniques to steal sensitive data.
- Initial access was achieved by sending fraudulent ScreenConnect installers disguised as business documents in phishing emails.
- The campaign uses complex scripts and scheduled tasks to maintain presence on infected machines and evade detection.
- Stolen data, including credentials and information on crypto wallets, is sent to a remote server controlled by the attackers.
Attackers are exploiting ConnectWise ScreenConnect to gain unauthorized access to computers as part of a new campaign, according to findings published by cybersecurity researchers on September 11, 2025. The goal is to deliver a remote access trojan called AsyncRAT in order to steal data from compromised devices.
Analysts at LevelBlue reported that the attackers use phishing emails containing malicious ScreenConnect installers that appear to be financial or business-related files. After establishing remote access, the attackers manually deploy a series of scripts and software components without leaving obvious files on the system’s disk, making detection much more difficult.
According to an official report from LevelBlue, the attackers run a layered Visual Basic Script and PowerShell loader. “The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs,” the researchers said. The process ultimately unpacks AsyncRAT and maintains ongoing access by setting up a fake “Skype Updater” task.
The malware retrieves two main files—“logs.ldk” and “logs.ldr”—from an attacker-controlled server. The first file writes a new script for persistent access, while the second is used to launch AsyncRAT. This trojan sends user keystrokes, browser logins, and details of installed cryptocurrency wallet applications (like those used in Chrome, Brave, Edge, Opera, and Firefox) back to a command-and-control server.
All communication and stolen data are sent over a direct internet connection to the attackers’ remote server, with configuration details either built into the code or loaded from a remote Pastebin page. The researchers explained that fileless malware, which operates in a computer’s memory instead of saving files on disk, is especially difficult to detect and remove.
The technique relies on trusted system tools and remote access programs, highlighting the challenges that organizations face in defending against fileless malware attacks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Texas Crypto Ponzi Operator Denied Bankruptcy Discharge in Court
- Fat App Thesis Goes Mainstream as Hyperliquid Surges Widely.
- Stripe-backed Native Markets Leads in Hyperliquid USDH Vote.
- EasyGroup Founder Enters Crypto with EasyBitcoin Platform Launch
- Jim O’Neill’s Doubts Clash With BRICS 2026 Currency Launch Plans
