Techno Time

Kaspersky Uncovers Massive Cyberattack Campaign Using Fake Software Websites to Distribute Malware

Saturday 4 July 2026 13:56
Kaspersky Uncovers Massive Cyberattack Campaign Using Fake Software Websites to Distribute Malware

 Kaspersky has revealed a large-scale cyberattack campaign in which threat actors utilized fraudulent websites mimicking official software pages to distribute the ScreenConnect remote control tool, targeting Windows users across both individual and enterprise sectors globally.

According to a report issued by the company after detecting the incident via its Managed Detection and Response service, Kaspersky researchers identified over 90 fake domains available in ten languages, including English, Arabic, Spanish, Chinese, German, Portuguese, and Russian. This multilingual approach significantly expanded the campaign's global reach and increased the likelihood of users falling victim.

Fake Websites Mimicking Official Pages In this campaign, attackers created deceptive websites that closely resemble the official pages of popular software, such as OBS Studio, DNS Jumper, DS4Windows, Glary Utilities, and Bandicam. Victims are tricked into downloading installation archives that appear to be legitimate and secure versions of these applications.

To maximize the campaign's spread, the attackers employed Search Engine Optimization (SEO) techniques to boost the ranking of these fraudulent sites in search results, thereby increasing the chances of users landing on them when searching for popular free software or online tools.

According to Kaspersky, users who downloaded what they believed to be genuine software actually received the ScreenConnect remote control tool, granting attackers persistent access to the infected devices. Subsequently, AsyncRAT—an open-source Remote Access Trojan (RAT)—is deployed, allowing the attackers full control over the compromised systems.

Domain Registrations Data indicates that domain registrations associated with this campaign peaked in February 2026. Interestingly, the same threat actor used fake websites during 2025 to disguise malicious installers as games, reflecting a continuous evolution in their cyber-deception tactics.

The infection process is executed via malicious archives containing a genuine Microsoft file signed as install.exe, alongside an install.res.1033.dll library. The DLL file is loaded onto the device via DLL Sideloading, which then installs the ScreenConnect service. This service remains active on the machine, awaiting further commands from the attackers.

Denis Kulik, a Security Operations Center (SOC) Analyst at Kaspersky, stated that this campaign targets users of free online tools, as well as corporate environments where remote access tools are commonly permitted and granted extensive privileges within authorized software lists.

He added that the danger of this campaign lies in its potential to execute widespread operations for credential theft and unauthorized system access. The stolen data is subsequently traded and sold on dark web markets and forums.

Implementing Strict Policies Kaspersky urged enterprises to implement strict policies to control software installation by adopting application whitelisting and blocking the installation of MSI packages from untrusted sources. Organizations should also monitor any newly introduced remote control services or scheduled tasks added to their systems.

The company further recommended controlling outbound network traffic, blocking unknown connections to suspicious domains or IP addresses, and enhancing employee awareness regarding the latest cyber threats and safe downloading practices, emphasizing the need to verify software sources before downloading or using them.

Kaspersky highlighted the importance of bolstering existing security measures with detection solutions reliant on human experts and global threat intelligence, such as Kaspersky Managed Detection and Response, which provides continuous monitoring, incident analysis, and a rapid, integrated response to advanced cyberattacks.

Monitoring Login Credentials The company also stressed the necessity of regularly monitoring login credentials to detect any signs of compromise, as any breached account or access privilege could become a vector for further attacks on the organization. It noted that the Kaspersky Digital Footprint Intelligence solution offers continuous monitoring across open-source and dark web sources, aiding in the rapid mitigation of threats before they escalate.

Kaspersky experts advised users to exercise caution when downloading files, relying solely on trusted sources for software and media, as some downloads from unverified sites may contain malware embedded within seemingly legitimate programs.

They also recommended using comprehensive protection solutions across all devices, such as Kaspersky Premium, for the early detection of potential threats and the prevention of malware installation or execution. Furthermore, enabling Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is crucial to protect accounts, along with regularly monitoring financial accounts to spot any suspicious activities early on.

Kaspersky emphasized the need to verify the authenticity of websites before entering any data by carefully reviewing the URL and paying close attention to any discrepancies in organization names or spelling.