TestDisk Impersonation Campaign Uses Microsoft-Signed Binary for DLL Sideloading and Deploys ScreenConnect RAT

Recent research has uncovered a sophisticated search engine poisoning campaign that masquerades as the legitimate TestDisk open-source data recovery tool. The attack delivers a trojanized installer that leverages a Microsoft-signed binary for DLL sideloading, ultimately deploying ScreenConnect remote monitoring software to grant attackers persistent hands-on-keyboard access to compromised systems.

The rogue domain, hosted at testdisk[.]dev, closely mirrors the branding of the real CGSecurity project, branding itself as “The Ultimate Open‑Source Data & Partition Recovery Solution” with a fake download option for TestDisk 7.2/7.3. This malicious site ranks in search results alongside the legitimate project, capitalizing on user searches for “TestDisk”.

Obfuscated JavaScript on the phishing site dynamically generates one-time download URLs pointing to delivery domains like direct-download.gleeze[.]com, helping operators evade static URL-based blocking.

Attack Mechanism

When users download the rogue installer, they receive a ZIP file containing testdisk-7.3.exe – a Trojaned installation program. Instead of legitimate TestDisk, this executable is a repurposed Microsoft Setup binary used as a loader in a DLL sideloading attack. When executed:

  1. The signed Microsoft binary loads a malicious autorun.dll from its working directory.
  2. Defenses may overlook the trusted host executable, allowing the malicious DLL to execute.
  3. The DLL installs both a real version of TestDisk (to reduce suspicion) and additional malware payloads, establishing persistence.
  4. A key payload is a trojanized ScreenConnect MSI configured to connect to attacker-controlled infrastructure.

ScreenConnect as Persistent Remote Access Tool

Once deployed, the rogue ScreenConnect auto-registers the compromised system with an external server, granting attackers full remote control capabilities including file transfers, command execution, and network lateral movement. This trend exploits legitimate RMM tools – organizations commonly use ScreenConnect for IT administration – turning them into remote access trojans (RATs). The presence of ScreenConnect can blend into normal administrative activity if not rigorously inventoried.

Mitigation Strategies

Defenders should:

  • Monitor domains: testdisk[.]dev, direct-download.gleeze[.]com, and indicator IP 193.42.11.108.
  • Block file hash: 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5.
  • Hunt for unsigned/unusual DLLs loaded by Microsoft-signed binaries, especially in file-recovery contexts (see MITRE ATT&CK T1548.002 for DLL sideloading)
  • Implement strict RMM allowlists: ScreenConnect servers and configurations should be pre-approved.
  • Block unknown ScreenConnect relay domains and alert on unsanctioned installations.
  • Educate users to navigate directly to official sources like the CGSecurity TestDisk domain, bypassing SEO-poisoned search results.

Related Articles

Back to top button