Close Menu
TechurzTechurz
    What's Hot

    IQM, Europe’s first public quantum company, admits the future of the tech is uncertain

    July 2, 2026

    Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office

    July 2, 2026

    Bending Spoons defies SaaS slump, surges 40% on first day of trading

    July 1, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • IQM, Europe’s first public quantum company, admits the future of the tech is uncertain
    • Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office
    • Bending Spoons defies SaaS slump, surges 40% on first day of trading
    • Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles
    • Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto
    Cyber Reality

    AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto

    TechurzBy TechurzSeptember 11, 2025Updated:May 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Sep 11, 2025Ravie LakshmananMalware / Credential Theft

    Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.

    “The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs,” LevelBlue said in a report shared with The Hacker News. “These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake ‘Skype Updater’ scheduled task.”

    In the infection chain documented by the cybersecurity company, the threat actors have been found to leverage a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload via hands-on-keyboard activity.

    “We saw trojanized ScreenConnect installers masquerading as financial and other business documents being sent via phishing emails,” Sean Shirley, LevelBlue MDR SOC Analyst, told The Hacker News.

    The script, for its part, is designed to retrieve two external payloads (“logs.ldk” and “logs.ldr”) from an attacker-controlled server by means of a PowerShell script. The first of the two files, “logs.ldk,” is a DLL that’s responsible for writing a secondary Visual Basic Script to disk, using it to establish persistence using a scheduled task by passing it off as “Skype Updater” to evade detection.

    This Visual Basic Script contains the same PowerShell logic observed at the start of the attack. The scheduled task ensures that the payload is automatically executed after every login.

    The PowerShell script, besides loading “logs.ldk” as a .NET assembly, passes “logs.ldr” as input to the loaded assembly, leading to the execution of a binary (“AsyncClient.exe”), which is the AsyncRAT payload with capabilities to log keystrokes, steal browser credentials , fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions in Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.

    All this collected information is eventually exfiltrated to a command-and-control (C2) server (“3osch20.duckdns[.]org”) over a TCP socket, to which the malware beacons in order to execute payloads and receive post-exploitation commands. The C2 connection settings are either hard-coded or pulled from a remote Pastebin URL.

    “Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate.”

    AsyncRAT ConnectWise credentials Crypto exploits ScreenConnect steal
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleTed Cruz’s new bill would let AI companies set their own rules for up to 10 years
    Next Article NASA Rover Finds Compelling Clues In Rock Sample
    Techurz
    • Website

    Related Posts

    Opinion

    Corgi, the buzzy Y Combinator-backed insurance tech startup, says it didn’t steal an open source product

    June 26, 2026
    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    12 Father’s Day E-Card Sites That Are Actually Good

    June 4, 202523

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.