In short: In early July 2026, Kaspersky uncovered a large campaign of more than 90 fake websites that impersonate popular free software — OBS Studio, Bandicam, DNS Jumper, DS4Windows and others. Pushed to the top of search results by SEO poisoning, they hand out installers that quietly plant the AsyncRAT trojan and a hidden remote-access tool, letting attackers steal passwords and control the PC. Download apps only from the official vendor site.
What happened
Researchers at Kaspersky reported a coordinated operation built around more than 90 counterfeit "download" pages registered in about 10 languages. Each site copies the look of a well-known free program and offers a ready-made installer. The campaign ran from roughly October 2025 through the end of March 2026, with domain registrations peaking in February 2026 — but Kaspersky notes that many of the fraudulent pages are still live today, so the risk has not gone away.
The lure is ordinary software people search for every day: the OBS Studio streaming app, the Bandicam screen recorder, the DNS Jumper and DS4Windows utilities, Glary Utilities and similar tools. Because the fake pages were tuned for search engines, they often appeared right next to — or above — the genuine project. The safest habit is to type the vendor's address yourself; our guide on how to download software (and a VPN) safely walks through the checks.
How the trojan gets in
The downloaded archive looks convincing because it actually installs the real program — so nothing seems wrong. Hidden alongside it is a legitimate, Microsoft-signed executable and a malicious DLL. Using a trick called DLL sideloading, the signed file loads the attacker's library as if it were a trusted component, sailing past basic checks.
That library quietly deploys ScreenConnect, a real remote-management tool, which then runs PowerShell scripts to switch off Windows Defender and finally injects the AsyncRAT trojan into a system process. AsyncRAT is a remote-access trojan: it gives the intruder a live line into the machine to log keystrokes, harvest saved passwords and browser sessions, and return whenever they like. It is the same credential-theft engine behind the giant password leaks we have covered before.
What it means for your data
Because a working app really does install, victims have no obvious "I ran something bad" moment. Meanwhile the trojan can lift the passwords stored in your browser, capture what you type, and hand persistent remote control to a stranger — on home PCs and, dangerously, on work laptops connected to corporate systems. Stolen logins are then reused for further break-ins or sold on. This is why a single careless download can quietly turn into an exposure of your personal data weeks later.
Search results are not a safety signal. Ranking high does not mean a site is genuine — attackers deliberately game that. Treating the first result as trustworthy is exactly the reflex this campaign exploits.
How to protect yourself
Go to the official source. Type the vendor's domain yourself or use a saved bookmark instead of clicking the top search hit. On phones, install only from the official app stores.
Check what you launched. Be wary if an installer bundles extra tools, asks to disable your antivirus, or triggers a remote-management service. Keep Windows and your security software updated and enabled — see how the layers fit in our overview of how a VPN, antivirus and firewall work together.
Reduce the blast radius. Use long, unique passwords and a password manager so one stolen login cannot open everything, and turn on two-factor authentication. Our guide on protecting an account from hacking covers the basics.
Encrypt your connection on untrusted networks. A VPN will not undo a trojan already on your device, but on public or shared Wi-Fi it stops attackers on the same network from intercepting your traffic or steering you to a fake page. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more privacy news on our blog.
Sources
This report is based on the Kaspersky / Securelist investigation (July 2026), covered in English by The Hacker News and in Russian by SecurityLab, with the vendor advisory from Kaspersky.
