{
	"id": "be7b1473-2f60-4601-a62d-4c766ad6b9c1",
	"created_at": "2026-04-06T00:11:42.719841Z",
	"updated_at": "2026-04-10T13:12:16.802236Z",
	"deleted_at": null,
	"sha1_hash": "c2a345765403019988611c5c40b71cfe07550c61",
	"title": "AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect and Open Directories",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2998420,
	"plain_text": "AsyncRAT Campaigns Uncovered: How Attackers Abuse ScreenConnect\r\nand Open Directories\r\nPublished: 2025-09-18 · Archived: 2026-04-02 11:32:02 UTC\r\nRemote Monitoring and Management (RMM) tools like ConnectWise ScreenConnect have become both indispensable for\r\nIT administrators and highly attractive to threat actors targeting organizations in the United States. ScreenConnect's deep\r\nsystem access, trusted installation footprint, and widespread use across managed service providers make it a prime vector for\r\nmalware delivery and persistence.\r\nRecent investigations uncovered how attackers are abusing ConnectWise ScreenConnect (formerly ConnectWise\r\nControl) installers to deliver AsyncRAT payloads, leveraging open directories as staging points. By pivoting across\r\nexposed file repositories and correlating indicators of compromise (IOCs), we observed a repeatable infrastructure pattern of\r\nScreenConnect installers hosted in open directories, linked domains embedding /Bin/ paths, and backend servers distributing\r\nAsyncRAT. This blending of remote management software abuse with commodity RAT delivery highlights both a supply-chain risk and the operational tradecraft adversaries use to evade traditional signature-based defenses.\r\nBefore we dive into evidence, here are the patterns that surfaced repeatedly across hosts, files, and redirects.\r\nKey Takeaways\r\nPayloads observed: AsyncRAT and a custom PowerShell RAT were deployed alongside trojanized ScreenConnect\r\ninstallers.\r\nOpen directories \u0026 hosts uncovered: At least 8 infrastructure hosts were identified (e.g., 176.65.139[.]119,\r\n45.74.16[.]71, 164.68.120[.]30, 78.161.14[.]229, 78.162.57[.]179, 88.229.27[.]40, 185.208.159[.]71,\r\n94.154.173[.]145).\r\nPayload container scale: Multiple similar naming files (logs.ldk / logs.idk / logs.idr) appeared repeatedly across\r\nmultiple directories (sizes from 60 KB to 3 MB).\r\nSeveral container hashes were Not Found on VirusTotal at capture, indicating fresh or repackaged payloads.\r\nPhishing pivot yield: The /Bin/ ClickOnce pattern (from police.html → galusa.ac.mz → dual.saltuta.com) produced\r\n8 related URLs across 2024-2025 during dataset queries.\r\nExecution techniques: Dual execution paths observed in the attack chain: in-memory .NET Assembly.Load for AV-guarded hosts and native injection via libPK.dll::Execute otherwise.\r\nPersistence: Frequent scheduled tasks were created (SystemInstallTask, 3losh) with aggressive intervals (every 2-10\r\nminutes).\r\nNetwork \u0026 C2 tradecraft: AsyncRAT telemetry spans standard ports (21/80/111/443) and numerous high-ephemeral ports (30,000-60,000), often TLS-wrapped.\r\nThese observations line up with public reporting on ScreenConnect abuse and dual-RAT delivery. Here's the context we used\r\nto frame our hunt.\r\nBackground Reference\r\nBy 2025, ScreenConnect exploitation had evolved from opportunistic ransomware delivery into multi-stage, stealthy\r\ncampaigns with supply chain implications. Acronis reported trojanized installers using ClickOnce loaders to drop dual\r\npayloads (AsyncRAT and a custom PowerShell RAT), while CyberProof detailed CHAINVERB, a backdoor leveraging\r\nsigned binaries to embed command-and-control instructions.\r\nIn May 2025, ConnectWise disclosed a breach of its cloud-hosted ScreenConnect infrastructure, likely linked to CVE-2025-\r\n3935, a critical ViewState injection flaw. Threat actors also experimented with Authenticode stuffing, modifying certificate\r\ntables in malicious installers while preserving valid digital signatures to evade trust checks. Proofpoint also observed U.S.-\r\nfocused phishing lures of fake IRS and USPS notices to deliver ScreenConnect installers for the deployment of AsyncRAT.\r\nThese campaigns signaled a pivot from ransomware-focused exploitation in 2024 toward persistent, trust-subverting\r\nintrusions targeting critical organizations. Collectively, these incidents underscored ScreenConnect's role as both a malware\r\ndelivery vector and high-value supply chain target.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 1 of 19\n\nFigure 1. Timeline of 2025 important blogs highlighting ScreenConnect usage in different attack themes.\r\nWith that backdrop, we sought the same tradecraft in fresh data and found a near match in live infrastructure.\r\nResearch Context\r\nThe Acronis blog highlights an evolving campaign where attackers abuse trojanized ConnectWise ScreenConnect installers\r\nto infiltrate U.S.-based organizations. Instead of embedding malicious components directly, the adversaries now use a\r\nClickOnce installer that dynamically retrieves payloads at runtime, complicating traditional detection.\r\nOnce executed, the installer immediately deploys two Remote Access Trojans (RATs): the widely used AsyncRAT and a\r\ncustom PowerShell-based RAT. This dual-RAT strategy provides redundancy and persistence, ensuring attackers maintain\r\naccess even if one RAT is neutralized.\r\nThe custom RAT stands out with reconnaissance, data exfiltration, obfuscation techniques, and a unique codebase not found\r\nin open-source repositories. Over time, the infection chain grows more adaptive, incorporating batch scripts, VBS loaders,\r\nand encoded .NET assemblies to redeploy AsyncRAT and maintain long-term access.\r\nFigure 2. Attack chain showing multiple steps to maintain persistence and execution of AsyncRAT variants.\r\nOur first solid lead came from AttackCapture™, where a simple query exposed three copies of the same PowerShell loader\r\non separate hosts.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 2 of 19\n\nInitial Discovery Via AttackCapture™\r\nUsing Hunt.io's AttackCapture™ feature, a search for Skype.ps1 revealed three active results from 29 May to 2 June 2025\r\nhosted across distinct IP addresses. Two files share the same size and timestamp, indicating mirrored infrastructure or\r\npayload replication, while the third is significantly smaller, suggesting a possible variant or trimmed version of the script.\r\nType Indicator Size of Skype.ps1\r\nOpen Directory hxxp://176.65.139.119:555/aA/Skype.ps1 235 KB\r\nOpen Directory hxxps://45.74.16.71/aAold/Skype.ps1 235 KB\r\nOpen Directory hxxp://164.68.120.30:550/99/Skype.ps1 3KB\r\nFigure 3. Searching \"Skype.ps1\" using AttackCapture™ revealed 3 IP Addresses with distinct file sizes\r\nWe started with the first host, 176.65.139.119, to understand how the loader was staged and what else it was serving.\r\nVirusTotal analysis of this IP address shows a clean reputation with a 0 detection score. However, a deeper investigation\r\nhighlights malicious associations. Two files have been observed communicating with this host: Stub.exe and\r\nf2d834d37efb0a74b944174edc88a984.virus.\r\nHunt.io analysis of the IP address 176.65.139.119 shows direct ties to AsyncRAT activity. The host was observed with an\r\nopen port at 5050, which has historically been associated with AsyncRAT.\r\nFigure 4. Hunt.io links 176.65.139.119 to AsyncRAT activity via port 5050 (May-June 2025).\r\nA second host, 45.74.16.71, showed the same components but with additional disposable DNS domains - suggesting fast\r\nrotation.\r\nVirusTotal analysis of this IP address shows a malicious score of 10 out of 95. The passive DNS records show short-lived\r\ndomains (dp.vdpanxxs.top, sc.vdpanxxs.top, and vixgstxpnl.top) and the files communicating with this IP include Stub.exe\r\n(detected 57/72) and aA.zip archive (38/66), which contained staged payloads such as Skype.ps1, Ab.vbs, and libPK.dll.\r\nThe analysis of the IP address 45.74.16.71 reveals links to AsyncRAT operations with an open port at 5050. The presence of\r\nthe PureVPN association indicates adversaries may be leveraging VPN infrastructure to anonymize malicious activities.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 3 of 19\n\nFigure 5. Analysis of the IP 45.74.16[.]71 linked to AsyncRAT C2 activity over port 5050 with VPN obfuscation.\r\nThe third host, 164.68.120.30, expanded the toolset further with packed binaries and domain-fluxed payloads.\r\nFurther VT analysis of this IP address flagged malicious by 14/95 vendors, with 9 malicious files being communicated with\r\nthis host, including packed Win32 executables (hpqaiyo.exe, rqzwy8er.exe, gebv86.exe), a VBA payload (payload_1.ps1),\r\nand the recurring Stub.exe binary.\r\nOur analysis of the third IP address, 164.68.120.30, reveals a High-Risk reputation score, confirming its role in AsyncRAT's\r\ncommand-and-control (C2) infrastructure. This strengthens its attribution to active malware operations.\r\nSeeing three near-identical hosts in quick succession, we extended the scope to six months of Hunt.io telemetry to test\r\nwhether this was short-lived or persistent.\r\nFigure 6. Hunt.io analysis of 164.68.120.30 marked as High-Risk for AsyncRAT C2 activity over multiple ports.\r\nOur six-month timeline IOCs illustrate persistent AsyncRAT activity across both standard ports (21, 80, 111, 443) and a\r\nwide range of high, non-standard ports in the 30,000-60,000 range. Long overlapping activity bars indicate sustained\r\ninfrastructure activities, with operators rotating or layering ports to ensure redundancy.\r\nThe detection of TLS traffic on several ports points to a shift toward encrypted C2 communications, while clustering in\r\nhigh port ranges suggests automated deployment via builder scripts. Collectively, this reflects a resilient, evasive\r\nAsyncRAT malicious infrastructure maintained for long-term operations rather than opportunistic attacks.\r\nTo understand how these pieces fit together, we unpacked each open directory and mapped the infection chain. We then\r\nvalidated each stage in the open directories to confirm the loader and persistence mechanics in practice.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 4 of 19\n\nFigure\r\n7. A six-month Hunt.io timeline reveals a resilient AsyncRAT infrastructure featuring port rotation, TLS encryption, and\r\nbuilder-driven deployment.\r\nOpen Directories Overview\r\nThe open directory at http://176.65.139.119:555 exposes a staged malware package, with aA.zip (563 KB) unpacking into\r\nAb.vbs (dropper), Skype.ps1 (malicious PowerShell), libPK.dll (payload DLL), and Microsoft.lnk (persistence). The scripts\r\nare flagged as exploits, driving the infection chain, while the .lnk file likely initiates execution, and the DLL provides\r\npersistence or RAT capabilities. This illustrates a multi-stage delivery framework designed for resilience and scalable\r\ndistribution.\r\nA closer look at the execution flow shows how the operators adapt the loaders depending on the environment.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 5 of 19\n\nFigure 8. Open directory 176.65.139[.]119:555 hosting a multi-stage malware package (VBS, PowerShell, DLL, LNK).\r\nAnalysis of the open directory found at https://45.74.16.71 exposes multiple malicious archives, including aA.zip containing\r\na ScreenConnect client executable (67 KB) and aAold.zip, which extracts into a full malware toolkit similar to the first host:\r\nAb.vbs (dropper, tagged Exploit), Skype.ps1 (PowerShell exploit script), libPK.dll (large supporting DLL), and\r\nMicrosoft.lnk (shortcut for execution). The presence of both a remote access tool installer and a staged package highlights\r\nthe blending of legitimate software abuse (ScreenConnect) with custom loaders and scripts, suggesting an attack chain\r\ndesigned to establish unauthorized remote access while deploying multi-stage payloads for persistence and command\r\nexecution.\r\nFigure 9. Open directory 45.74.16[.]71 blending ScreenConnect abuse with staged malware payloads.\r\nThe open directory at http://164.68.120.30:550 hosts a 99.zip archive containing six files that form a broader malicious\r\ntoolkit. Among them are Ab.js (tagged Exploit), a heavily reduced Skype.ps1 script (3 KB, Exploit), and a large DLL\r\n(libPK.dll, 2 MB) alongside multiple text files (1.txt, pe.txt, q.txt) and a decoy HTML page (police.html).\r\nUnlike the previous directories, this infrastructure showcases a smaller PowerShell script variant, possibly serving as a\r\nlightweight loader or reconnaissance stage, paired with additional payload components for extended functionality.\r\nFigure 10. Open directory 164.68.120.30:550 hosting 99.zip with a multi-layered malware toolkit and decoy artifacts.\r\nInvestigation and Analysis\r\nExamining the open directory at 176.65.139[.]119:555 reveals a slightly altered infection chain compared to the blog. The\r\nscript Ab.vbs functions as a simple launcher, using WScript.Shell to silently execute Microsoft.lnk, which is weaponized to\r\ninvoke PowerShell with execution policy bypass and hidden window mode, ultimately running Skype.ps1 from the public\r\nfolder. This replaces the blog's VBS + BAT persistence stage with a streamlined VBS → LNK → PS1 flow.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 6 of 19\n\nSkype.ps1 functions as the PowerShell loader for additional payloads: it reconstructs or decodes an embedded payload blob,\r\nloads and invokes a native export named Execute from C:\\Users\\Public\\libPK.dll, and then schedules Ab.vbs as a recurring\r\ntask named SystemInstallTask to maintain persistence. In this setup, libPK.dll behaves as a disguised secondary loader,\r\ntaking the place of the blog's log.idk / log.idr components and enabling in-memory/native-stage execution of downstream\r\npayloads.\r\nFigure 11. VBS launcher that silently executes Microsoft.lnk to kick off the infection chain.\r\nFigure 12. Weaponized shortcut that invokes PowerShell with execution-policy bypass and a hidden window to run\r\nSkype.ps1.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 7 of 19\n\nFigure 13. PowerShell loader that reconstructs a payload, calls libPK.dll::Execute, and schedules SystemInstallTask for\r\npersistence.\r\nOn the second host, 45.74.16[.]71, we found a nearly identical toolkit but with a newly repacked ScreenConnect installer -\r\nlikely to avoid static detection\r\nIn the second open directory found on this IP, a new variant of screenconnect.client.exe was uncovered, distinguished by a\r\ndifferent hash but serving the same purpose as the sample from the first open directory.\r\nThis suggests the attackers are repacking or re-signing the ScreenConnect installer to evade static detection and diversify\r\npayload delivery. Despite the hash difference, its placement alongside Ab.vbs, Microsoft.lnk, Skype.ps1, and libPK.dll\r\nindicates it is part of the same infection chain, reinforcing the campaign's tactic of using trojanized ScreenConnect binaries\r\nas the primary entry point for executing multiple RAT loaders.\r\nA third host at 164.68.120[.]30:550 showed similar tradecraft but swapped in JavaScript loaders and more aggressive\r\nscheduling. In this open directory, we observed a very similar attack chain to the ones documented in public research blogs,\r\nbut with some notable variations in the components and execution flow.\r\nThe infection begins with a script named Ab.js, which leverages ActiveXObject to silently execute a PowerShell command\r\nthat loads Skype.ps1.\r\nFigure 14. Ab.js launches PowerShell to load Skype.ps1, initiating the infection chain.\r\nOnce launched, Skype.ps1 creates a scheduled task named \"3losh\" via the Windows Task Scheduler COM interface. This\r\ntask is configured to trigger every two minutes and execute Ab.js, ensuring aggressive persistence even if the user\r\nterminates processes or reboots the system.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 8 of 19\n\nFigure 15. Skype.ps1 creates a persistent scheduled task named '3losh' that runs every two minutes.\r\nThe script then checks for the presence of security software, specifically looking for TotalAV or Avast installations. If either\r\nis found, it loads pe.txt, which contains an obfuscated assembly encoded as comma-separated numbers.\r\nWhen decoded, this assembly provides an AMSI bypass designed to disable script-based security scanning. Following this,\r\nthe script reconstructs and loads 1.txt, another encoded blob that represents the attacker's primary .NET payload, and\r\nexecutes it directly in memory using Assembly.Load.\r\nFigure 16. Script detects TotalAV/Avast, decodes pe.txt for an AMSI bypass, then loads 1.txt as an in-memory .NET\r\npayload.\r\nIn environments where no supported AV is detected, the attackers take a different route. Instead of direct in-memory loading,\r\nthe decoded payload from 1.txt is injected into a legitimate Windows binary, AppLaunch.exe, using a native DLL called\r\nlibPK.dll.\r\nThis DLL is imported dynamically at runtime via PowerShell's Add-Type function and provides an exported function named\r\nExecute, which handles the injection process. This dual execution pathway, like direct in-memory execution for AV-guarded\r\nsystems and DLL-assisted injection for unprotected hosts, demonstrates a highly adaptive strategy to ensure successful\r\ncompromise across diverse environments.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 9 of 19\n\nFigure 17. If no AV is found, the decoded payload is injected into AppLaunch.exe via libPK.dll::Execute for native injection.\r\nThe police.html file uncovered in the third directory acts as a malicious redirector that uses a meta-refresh tag combined\r\nwith JavaScript to automatically forward victims to an external resource \"hxxps://galusa[.]ac[.]mz/pdf\".\r\nThis redirection chain ultimately lands on dual[.]saltuta[.]com, with query parameters referencing\r\nverify[.]uniupdate[.]net, and triggers the download of the first-stage payload event_support-pdf.Client.exe (MD5:\r\nc596910b65fb3af81b9ca67ce11ebcc3). The redirect and final filename follow the ClickOnce runner Installer pattern noted\r\nin public research, where \"support-pdf\" themed executables are used as first-stage droppers.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 10 of 19\n\nFigure 18. police.html redirector forwarding to galusa.ac.mz/pdf, which resolves to dual.saltuta.com and delivers\r\nevent_support-pdf.Client.exe.\r\nVirusTotal data shows the galusa.ac.mz/pdf URL returned HTTP 200 and was last analyzed on 2025-05-24 with no security\r\nvendors flagging the resource at the time of analysis.\r\nRedirect URL :\r\nhttps://dual.saltuta.com/Bin/event_support-pdf.Client.exe?\r\nh=verify.uniupdate.net\u0026p=8041\u0026k=BgIAAACkAABSU0ExAAgAAAEAAQDRensUJhLSOFlnmqiCZ1BBEo1jqzYsqCiPY8zJL%2B9sTvN8rOqDMiuF\r\n4014-42f5-b668-addee4113978\u0026i=untitled\u0026e=Support\u0026y=Guest\u0026r=\r\nHunt.io domain records link dual.saltuta.com and verify.uniupdate.net to the campaign, with dual.saltuta.com observed\r\nserving ScreenConnect-like installers and resolving to IP 94.154.173[.]145 (1GSERVERS, LLC, US). These findings\r\nindicate a multi-stage redirect chain that blends social engineering with ClickOnce-style droppers to deliver the initial\r\npayload.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 11 of 19\n\nFigure 19. dual.saltuta.com and verify.uniupdate.net linked to ScreenConnect-style installers, resolving to 94.154.173[.]145.\r\nPivoting via Patterns\r\nPivoting on Ab.vbs uncovered a new open directory at 78.161.14[.]229:753 (Turk Telekom) with a larger Ab.vbs variant\r\n(504 B) from previous similar variants.\r\nFigure 20. Pivot on Ab.vbs reveals an additional open directory at 78.161.14[.]229:753 hosting an enlarged Ab.vbs (504 B).\r\nOur threat hunting platform shows the details of the open directory at 78.161.14.229:753, which is hosted under Turk\r\nTelekomünikasyon Anonim Şirketi (TR). The directory contained an enlarged variant of Ab.vbs (504 B) compared to\r\nprevious samples. Three additional files were also identified (logs.ldk (60 KB), logs.ldr (265 KB), and logs.rar (46 KB)).\r\nFigure 21. Open directory at 78.161.14[.]229:753 hosting enlarged Ab.vbs (504 B) and staged payload containers\r\n(logs.ldk/logs.ldr/logs.rar).\r\nUnlike the lightweight Ab.vbs samples that primarily launched a .lnk shortcut or chained to Skype.ps1, this variant uses\r\nPowerShell with an inline function called Invocation to dynamically load a .NET assembly into memory and invoke its entry\r\npoint.\r\nThe script references two external files expected in C:\\Users\\Public\\Pictures: logs.ldk and logs.ldr. The .ldk file is parsed\r\ninto a byte array, divided by 30, and used as the assembly payload, while the .ldr file is passed as an input string to the\r\nassembly's Obfuscator.A::Main method.\r\nFigure 22. Updated Ab.vbs acts as an integrated loader: parses logs.ldk into an assembly, invokes Obfuscator.A::Main with\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 12 of 19\n\nlogs.ldr, and eliminates the .lnk intermediary.\r\nThe discovery shows operators iterating on a modular architecture, recycling proven loader code while altering payload\r\ncontainers to evade static detection.\r\nPivoting on logs.idr exposed two additional open directories at 78.162.57[.]179:753 and 88.229.27[.]40:753. Hunt.io\r\ncaptures show logs.idr at 265 KB on 17 Jul 2025 22:41:25 and 266 KB on 07 Jul 2025 19:22:49, respectively. The close\r\nsimilarity in file size and timestamps to earlier finds suggests operators are distributing near-identical payload containers\r\nacross multiple hosts.\r\nFigure 23. Pivoting on logs.idr uncovered mirrored payload containers across two open directories (78.162.57.179:753,\r\n88.229.27.40:753).\r\nAn analysis of the IP addresses 88.229.27.40 (Istanbul) and 78.162.57.179 (Gaziantep) shows the same ASN AS9121 / Turk\r\nTelekomünikasyon Anonim Şirketi and shows multiple AsyncRAT activity across all ports.\r\nFigure 24. Turk Telekom IPs (88.229.27.40 and 78.162.57.179) hosting multiple AsyncRAT sightings across rotated ports\r\nand July-August 2025.\r\nBoth IPs (78.162.57.179 and 88.229.27.40) show extensive AsyncRAT activity across numerous ports, with Hunt.io\r\ntimelines confirming repeated reconfigurations and multi-port exposure throughout July 2025. The operators appear to rotate\r\nports aggressively, enabling redundancy and complicating static detection, while maintaining persistent AsyncRAT\r\ninfrastructure under Turk Telekom AS9121.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 13 of 19\n\nFigure 25. Hunt.io\r\ntimeline view showing extensive AsyncRAT activity across multiple ports on 78.162.57[.]179 and 88.229.27[.]40,\r\nhighlighting persistent and adaptive C2 infrastructure.\r\nA Hunt.io capture from 78.162.57[.]179:753 shows that both logs.idk and logs.idr appears with different SHA256 hashes\r\nacross directories, indicating multiple variants of the same files. Similarly, one more hash of logs.idr has been found from\r\n88.229.27.40:753 open directory. Moreover, none of these hashes are currently detected on VirusTotal.\r\nFigure 26. Different SHA256 hashes observed for logs.idk and logs.idr on 78.162.57[.]179:753 \u0026 88.229.27[.]40:753 from\r\nHunt.io's AttackCapture™.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 14 of 19\n\nSimilarly, while pivoting on logs.idk, an additional open directory is observed at 185.208.159[.]71, hosting a much larger\r\nlogs.ldk file (3 MB).\r\nFigure 27. Discovery of a 3 MB logs.ldk on 185.208.159.71, indicating repackaged or expanded payload staging.\r\nHunt.io's AttackCapture™ File Manager for https://185.208.159.71 (Global-Data System IT Corporation) shows two files\r\n(logs.jpg and logs.ldk) having a size of 3 MB.\r\nFigure 28. 185.208.159[.]71 directory (17 Aug 2025): large logs.ldk (3 MB) and decoy logs.jpg indicate\r\nrepackaged/expanded payload staging.\r\nOur analysis for 185.208.159[.]71 (AS42624) carries a High-Risk flag and active AsyncRAT sightings. The records show\r\nmultiple open services across low and high ports have the signature of AsyncRAT.\r\nFigure 29. 185.208.159[.]71 (AS42624) shows a High-risk AsyncRAT host with multi-port activity.\r\nHunt.io history data for 185.208.159[.]71 reveals multiple open ports associated with AsyncRAT activity between August\r\nand September, spanning both low (111, 222, 666) and high-numbered ranges (3000-3009, 7707, 9996-9998, 20000).\r\nThe breadth of ports indicates an aggressive and flexible C2 configuration strategy, suggesting the operators rotate or\r\ndiversify their port usage to evade static detection and sustain long-term infrastructure resilience.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 15 of 19\n\nFigure 30.\r\nAsyncRAT history on 185.208.159[.]71: wide port usage (111-20000) highlights adaptive C2 operations.\r\nFurthermore, the investigation revealed that the \"/Bin/\" pattern was a recurring element in phishing infrastructure, first\r\nobserved in the police.html redirect leading to the payload dual[.]saltuta[.]com/Bin/event_support-pdf.Client.exe.\r\nThis URL not only exposed the payload host (dual.saltuta.com) and query parameter domain (verify[.]uniupdate[.]net), but\r\nalso highlighted the use of /Bin/ as a staging directory for first-stage payloads. By pivoting on this pattern, a SQL query\r\nacross the phishing dataset identified 8 additional URLs reusing the same structure in campaigns spanning 2024-2025,\r\nconfirming its role as a consistent attacker tradecraft for hosting and distributing malicious executables.\r\nSELECT\r\n *\r\nFROM\r\n phishing\r\nWHERE\r\n url LIKE '%/Bin/%'\r\n AND timestamp gt '2024-01-01'\r\n \r\nCopy\r\nOutput example:\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 16 of 19\n\nFigure 31. Reuse of the \"/Bin/\" directory across phishing campaigns for hosting first-stage payloads (8 URLs found, 2024-\r\n2025).\r\nHere's a table with the results we found:\r\nTimestamp URL Executable Name\r\nAt\r\nTh\r\n2025-06-12 hxxps://baquskreen.top/Bin/ANTI%20VIRUS%20UPDATE.ClientSetup.exe\r\nANTI VIRUS\r\nUPDATE.ClientSetup.exe\r\nFa\r\nA\r\n2025-09-05\r\nhxxps://mconnectsz.nsocumentzs.com/Bin/ZOOM.ClientSetup.exe?\r\ne=Access\u0026y=Guest\r\nZOOM.ClientSetup.exe Zo\r\n2025-01-17\r\nhxxps://bahelp.top/Bin/ZoomWorkspace.ClientSetup.exe?\r\ne=Access\u0026y=Guest\r\nZoomWorkspace.ClientSetup.exe Zo\r\n2024-10-25\r\nhxxps://doc-sign.docsfinder.org/Bin/IRScasedocs5Nhd8fMGaUr0Ts1o6qlE.Client.exe?\r\nh=wise.access.ly\u0026p=8041\u0026k=ENCODE\u0026s=7b6d96a8-dcac-4f65-aaec-6e3d4b1ed22f\u0026i=Untitled%20Session\u0026e=Support\u0026y=Guest\u0026r=\r\nIRScasedocs5Nhd8fMGaUr0Ts1o6qlE.Client.exe\r\nIR\r\nTa\r\nSc\r\n2025-04-01 hxxps://con.wolonman.com/Bin/ScreenConnect.ClientSetup.exe ScreenConnect.ClientSetup.exe\r\nRe\r\nA\r\nTo\r\n2025-03-14 hxxps://tulicrp.engajroker.cyou/Bin/support.Client.exe support.Client.exe\r\nRe\r\nA\r\nTo\r\n2025-04-10\r\nhxxps://docfileaccess.top/Bin/ScreenConnect.Client.application?\r\ne=Support\u0026y=Guest\r\nScreenConnect.Client.application\r\nRe\r\nA\r\nTo\r\n2024-11-19 hxxps://vn1backn.site/Bin/ScreenConnect.Client.application?y=Guest ScreenConnect.Client.application\r\nRe\r\nA\r\nTo\r\nMitigation Strategies\r\nEnforce strict allowlisting for installers and RMM tools (require validated signer metadata and out-of-band vendor\r\nverification).\r\nBlock or closely monitor /Bin/ download patterns and ClickOnce URLs at the proxy/IDS, and alert on uncommon\r\nContent-Type: application/octet-stream responses.\r\nDeploy behavioral EDR detections for Add-Type runtime compilation, in-memory Assembly.Load, native export\r\ncalls (libPK.dll::Execute), and process injection.\r\nRestrict execution of VBS/JS/PowerShell from publicly writable folders (e.g., C:\\Users\\Public) and enforce script-blocking policies.\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 17 of 19\n\nHarden endpoints with AppLocker/Device Guard, disable macros and legacy script hosts where operationally\r\npossible, and apply least-privilege policies.\r\nProactively hunt for IOCs and TTPs (Ab.vbs/Ab.js, Skype.ps1, libPK.dll, logs.* containers, /Bin/ URLs) and\r\ncoordinate takedowns with hosting providers and CERTs.\r\nEnforce multi-factor authentication and rotate vendor/third-party credentials; audit vendor access to management\r\nconsoles.\r\nIn short, this is a moving target. Port rotation, repacking, and dual paths keep the infrastructure alive unless detections key\r\non the tradecraft itself.\r\nConclusion\r\nThe campaign demonstrates a mature attacker tradecraft that blends RMM abuse, modular payload staging, native injection\r\ntechniques, and extensive port/TLS manipulation to maintain resilient AsyncRAT-centric C2 infrastructure. Defenders must\r\nmove beyond hash-based detection and rely on layered defenses: behavioral EDR, robust network telemetry (including TLS\r\ninspection when possible), strict RMM installer controls, proactive hunting for staged containers and redirect patterns (e.g.,\r\n/Bin/), and rapid takedown coordination with hosting providers. Focusing detection and response on the TTPs in this report\r\nwill yield higher fidelity than chasing rapidly changing hashes.\r\nFor teams that need to hunt today, here are the indicators and objects we observed, with the caveat that infrastructure turns\r\nover quickly.\r\nConnectWise ScreenConnect Network Observables and Indicators of Compromise (IOCs)\r\nName / Host / File Indicator Notes\r\nAb.vbs\r\n6142295a7f7ce60b86738e07d79b72d5a3edb3d5915aa9fb6c81ea752a9cd229,\r\nc7936cc04631bc9d4ed7a9be3a5638193fac57cb3ccfa7ce037aa2b0fe24cad7\r\nVBS loader, VBS\r\nvariant\r\nMicrosoft.lnk 521769c955761f7fc625eae2006f4dabcf36ce3169309e0ad111e7b7b29748af Weaponized LNK\r\nSkype.ps1 (PowerShell\r\nloader)\r\n54b762e05af1a1138786a78e9936d63f4e419bbeb0d116c2cee7376566420382,\r\n8d5b8061b3f6b899583bbf20e78c13bb2b44b9dff4c6c302c8c278725dc5a34d\r\nPowerShell loader,\r\nSmall PS loader\r\nlibPK.dll b97d0a646c8aece8f5c4cedb26da808ec5104038c7871ad0481f75df7a75c59d\r\nNative injector\r\nDLL\r\nscreenconnect.client.exe\r\n(trojanized)\r\n701e702f91942acef4d6afdda2abf70ed8618cde2f2ef3b174b092373c63c033\r\nTrojanized\r\nScreenConnect\r\ninstaller\r\nStub.exe cd5207483b78ef50d3dbd3f6a36d2a98\r\nStager/dropper\r\n(observed\r\ncommunicating\r\nwith\r\n176.65.139.119)\r\nevent_support-pdf.Client.exe\r\n(ClickOnce dropper)\r\nc596910b65fb3af81b9ca67ce11ebcc3\r\nObserved via\r\nredirect chain\r\n1.txt (encoded .NET\r\npayload)\r\nff529b5e54b079ff9a449e933b6042c2403f15d0de9ee9dbfb0c51e56bf13fad\r\nEncoded .NET\r\nblob\r\npe.txt 1f7b509db8424453b8bb3a45053f3bc47f98414b168a67f253c10f0f6fb83936\r\nEncoded AMSI\r\nbypass payload\r\nq.txt 5705e818447ec8f7c480a2bf28337b002d66b293b7450b7a993bf26ac9fee60f\r\nObfuscated config\r\nblob\r\npolice.html 0736e890f62b920c4489928254d5c0e5e67584dfb1c8649f08b62e400d28e882 HTML redirector\r\nlogs.idk\r\ncf9729e363562878a7027e0f8eab00d3853fe6a267fc654fae511a751cf6851a,\r\naca3f0bf08779478f2b0ce7da16e8c87f8a860ae96d3e88d94c2907aae31ff0d,\r\nab2f559b05cfa32bc66c317260f51970699602ad06030e16bba66cf1bd20902e\r\nPayload container\r\nlogs.idr 98ef82f2f9861f1a0062a3c1b88184b28e6bf304856bfc6d8087ff28df113710,\r\n81aa861eb0fc8403e4a8be6f0f9eb8be494cc12571f98210e08a88d81a2c815c,\r\nRuntime parameter\r\nfile\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 18 of 19\n\nName / Host / File Indicator Notes\r\n9cd11a25896a9e7a54aeaf0cc249a8ebcaada74168d2bdd2d51d8313a7293dce,\r\ne4afc06b31849f0a9c463e2599906a93914727a1f5b08d0ebfe1990965ebc41f\r\nlogs.ldk cf9729e363562878a7027e0f8eab00d3853fe6a267fc654fae511a751cf6851a Payload container\r\nlogs.jpg ec7514d1be0ba0b2a9059759d2885f81f1e887e1559a1630f6c380e11f7bf7d3 Decoy image\r\nIP 176.65.139[.]119 (Germany) Open dir\r\nIP 45.74.16[.]71 (AS207184 - Germany) Open dir\r\nIP 164.68.120[.]30 (AS51167 - Germany) Open dir\r\nIP 78.161.14[.]229:753 (AS9121 - Turkey) Open dir\r\nIP 78.162.57[.]179:753 (AS9121 - Turkey) Open dir\r\nIP 88.229.27[.]40:753 (AS9121 - Turkey) Open dir\r\nIP 185.208[.]159.71 (AS42624 - Switerzland) Open dir\r\nIP 94.154.173[.]145 (AS14315 - United States)\r\nResolves to\r\ndual[.]saltuta[.]com\r\nDomain dual[.]saltuta[.]com\r\nPayload host.\r\nServes staged\r\nbinaries\r\nDomain verify[.]uniupdate[.]net\r\nAppears in query\r\nparameters\r\nDomain galusa[.]ac[.]mz\r\nHTML redirector.\r\nForwards to\r\nClickOnce\r\nDomains\r\ndp[.]vdpanxxs[.]top,\r\nsc[.]vdpanxxs[.]top,\r\nvixgstxpnl[.]top\r\nDisposable\r\ndomains resolving\r\nto 45.74.16[.]71\r\nPersistence Scheduled Task names\r\nSystemInstallTask\r\n(every 10m), 3losh\r\n( every 2m)\r\nPattern / URL /Bin/ directory pattern\r\nReused across\r\nmultiple phishing\r\nURLs / ClickOnce\r\npayload\r\nSource: https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nhttps://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/asyncrat-screenconnect-open-directory-campaigns"
	],
	"report_names": [
		"asyncrat-screenconnect-open-directory-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434302,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c2a345765403019988611c5c40b71cfe07550c61.pdf",
		"text": "https://archive.orkl.eu/c2a345765403019988611c5c40b71cfe07550c61.txt",
		"img": "https://archive.orkl.eu/c2a345765403019988611c5c40b71cfe07550c61.jpg"
	}
}