TestDisk Impersonation Campaign Uses Microsoft-Signed Binary for DLL Sideloading and Deploys ScreenConnect RAT
Recent research has uncovered a sophisticated search engine poisoning campaign that masquerades as the legitimate TestDisk open-source data recovery tool. The attack delivers a trojanized installer that leverages a Microsoft-signed binary for DLL sideloading, ultimately deploying ScreenConnect remote monitoring software to grant attackers persistent hands-on-keyboard access to compromised systems.
The rogue domain, hosted at testdisk[.]dev, closely mirrors the branding of the real CGSecurity project, branding itself as “The Ultimate Open‑Source Data & Partition Recovery Solution” with a fake download option for TestDisk 7.2/7.3. This malicious site ranks in search results alongside the legitimate project, capitalizing on user searches for “TestDisk”.
Obfuscated JavaScript on the phishing site dynamically generates one-time download URLs pointing to delivery domains like direct-download.gleeze[.]com, helping operators evade static URL-based blocking.
Attack Mechanism
When users download the rogue installer, they receive a ZIP file containing testdisk-7.3.exe – a Trojaned installation program. Instead of legitimate TestDisk, this executable is a repurposed Microsoft Setup binary used as a loader in a DLL sideloading attack. When executed:
- The signed Microsoft binary loads a malicious
autorun.dllfrom its working directory. - Defenses may overlook the trusted host executable, allowing the malicious DLL to execute.
- The DLL installs both a real version of TestDisk (to reduce suspicion) and additional malware payloads, establishing persistence.
- A key payload is a trojanized ScreenConnect MSI configured to connect to attacker-controlled infrastructure.
ScreenConnect as Persistent Remote Access Tool
Once deployed, the rogue ScreenConnect auto-registers the compromised system with an external server, granting attackers full remote control capabilities including file transfers, command execution, and network lateral movement. This trend exploits legitimate RMM tools – organizations commonly use ScreenConnect for IT administration – turning them into remote access trojans (RATs). The presence of ScreenConnect can blend into normal administrative activity if not rigorously inventoried.
Mitigation Strategies
Defenders should:
- Monitor domains: testdisk[.]dev,
direct-download.gleeze[.]com, and indicator IP193.42.11.108. - Block file hash:
1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5. - Hunt for unsigned/unusual DLLs loaded by Microsoft-signed binaries, especially in file-recovery contexts (see MITRE ATT&CK T1548.002 for DLL sideloading)
- Implement strict RMM allowlists: ScreenConnect servers and configurations should be pre-approved.
- Block unknown ScreenConnect relay domains and alert on unsanctioned installations.
- Educate users to navigate directly to official sources like the CGSecurity TestDisk domain, bypassing SEO-poisoned search results.