SEO Poisoning Campaign Impersonates 2025 Popular Apps To Spread AsyncRAT

There is an active SEO poisoning campaign that pretends to be more than 25 popular apps in order to spread the AsyncRAT malware This article explores seo poisoning dll. . NCC Group has been around since October 2025, and the unknown threat actor tricks people into going to fake websites that show up high in search results.

These sites seem to offer real software downloads, but they really install tools that let someone else access the victim's computer. Campaign Overview and Attack Chain The people who attack use search engine optimization to make bad websites easier to find. These sites pretend to be popular software like VLC Media Player, OBS Studio, KMS Tools, and CrosshairX. The websites use fake reviews and are made for different languages to look real.

When someone clicks the download button, they get a ZIP file from a random download link.

This archive has the real software in it, as well as some hidden harmful files. DLL sideloading is a method that happens when the victim installs the software. A legitimate program accidentally loads a hidden file that is bad.

This file quietly extracts and runs an MSI (Microsoft Installer). The MSI installs ScreenConnect, a real remote management program. The attackers set up ScreenConnect to run as a hidden service in the background, which gives them full access to the computer from afar. Source: nccgroup Attack Chain After they get in, the attackers use ScreenConnect to drop a series of scripts.

The last PowerShell script uses a method called process hollowing to put bad code into a real Windows process.

In this case, the script puts the AsyncRAT payload directly into the system's memory, so there is no need to save the final executable to the hard drive. This way of doing things makes it very hard for regular antivirus software to find the infection. Home page for vlc-media[.

]com (Source: nccgroup) Indicators and Features of AsyncRAT AsyncRAT is a dangerous remote-access trojan that gives hackers full access to a computer that has been hacked. This campaign uses a very customized version. It has a cryptocurrency clipper that keeps an eye on the user's clipboard. If the user copies a cryptocurrency wallet address, the malware immediately changes it to the address of the attacker.

Screenshot of the SEO optimization on studio-obs[. ]net (Source: nccgroup) This makes it easy for hackers to steal digital money.

Interestingly, the clipper has a geo-fencing feature that stops it from working if the victim is in the Middle East, North Africa, or Central Asia. Category Technical Details Impersonated Apps VLC Media Player, OBS Studio, KMS Tools, CrosshairX, LibreOffice Initial Access Mechanisms SEO Poisoning, DLL Sideloading, ScreenConnect Payload Delivery Process hollowing into RegAsm.exe, PowerShell memory injection Additionally, this AsyncRAT variant features a dynamic plugin system. The NCC Group hackers can send new malicious modules over an encrypted connection and run them right in the computer's memory.

This means that new features, like ransomware or data stealers, can be added to the malware at any time. The campaign keeps changing its download servers so that security defenders can't block them.