What happened
Researchers from NCC Group and FOX-IT uncovered an SEO poisoning campaign that has been targeting Windows users since at least October 2025 by pushing fake download pages for more than 25 popular applications to the top of search results. The lures impersonate software such as VLC Media Player, OBS Studio, KMS Tools, and CrosshairX, and deliver ZIP archives containing both the real software and a hidden malicious component. Once executed, the campaign uses DLL sideloading to launch a hidden installer, deploys ScreenConnect as a service disguised as Microsoft Update Service, and ultimately injects AsyncRAT into RegAsm.exe through a multi-stage infection chain that includes VBScript, PowerShell, and in-memory .NET loaders. The attackers also used fake Schema.org ratings and multilingual hreflang tags to improve the credibility and ranking of lure sites.Â
Who is affected
Windows users searching for and downloading popular software from spoofed search results are affected, particularly those who install trojanized ZIP archives that bundle legitimate applications with hidden malicious files.Â
Why CISOs should care
The campaign shows how attackers are combining search engine manipulation, trusted software brands, and staged malware delivery to compromise systems while reducing suspicion by launching the legitimate application after infection.Â
3 practical actions
- Restrict software downloads to official vendor sources. Users should avoid downloading applications from search-result pages that are not verified vendor websites.Â
- Monitor for unauthorized ScreenConnect deployments. The infection chain uses ScreenConnect as a disguised service to maintain access.Â
- Hunt for AsyncRAT execution indicators. Researchers pointed to process hollowing in RegAsm.exe and related persistence mechanisms as key host-based signals.Â
For more coverage of email-based scams, lure campaigns, and social engineering threats, explore our reporting on Phishing.
