Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because the campaign is actively running across 90+ domains since at least August 2025, targets common employee behavior (downloading widely used software), weaponizes SEO to surface poisoned results ahead of legitimate downloads, and requires no vulnerability exploit — only a user action that happens routinely in most organizations. Impact is high because successful infection delivers persistent, privileged remote access with Defender tampered to suppress detection, creating a viable launchpad for lateral movement, data exfiltration, ransomware deployment, or access brokerage — any of which constitutes a material operational and financial harm.
Treatment rationale: The attack vector (unsanctioned software download from internet search) is directly addressable through application allowlisting, software procurement controls, DNS filtering, and user awareness — making mitigation the appropriate primary treatment rather than acceptance or transfer, since the root exposure is a controllable internal behavior.
Third-Party / Supply-Chain Risk
ScreenConnect (ConnectWise) is spoofed in this campaign; organizations that permit employees to self-download remote-access tooling from external sources face amplified risk because the impersonated product is itself a privileged remote-management tool, increasing the plausibility of the lure and the damage potential of a successful install. Organizations relying on third-party IT vendors or MSPs that use ScreenConnect should verify installer integrity through official vendor channels only (NIST SP 800-161 C-SCRM: verify software provenance in supply chain, apply integrity checks at ingestion).
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M+ depending on organizational size, data sensitivity, and attacker follow-on action; ransomware or full network compromise scenarios push the upper bound materially higher
Frequency: For an organization with no application allowlisting and unrestricted internet software downloads: illustrative 1 infection event per 12–24 months given campaign scale and broad targeting; organizations with enforced download controls drop to very low frequency
Annualized: Illustrative ALE: moderate-to-high — wide range driven by uncertainty in whether infection results in contained endpoint compromise vs. full lateral movement and data exfiltration; no single-figure ALE is defensible without org-specific data
Basis: Loss magnitude derived from the attacker capability delivered (persistent privileged access + Defender suppression + lateral movement potential), not from any third-party loss report. Frequency derived from campaign breadth (90+ domains, active since August 2025, globally distributed), the ubiquity of the lured software categories among knowledge workers, and the absence of an exploit requirement. No external benchmark figures were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed infection with data exfiltration may invoke state and federal breach-notification obligations depending on data types accessed — verify with counsel.
• AsyncRAT implant providing unauthorized third-party access to systems holding PII, PHI, or payment card data may trigger cyber-insurance incident-notification requirements — verify with broker.
• If infected endpoint was used to access or process customer or partner data, contractual data-protection obligations (DPAs, MSAs) may require counterparty notification — verify with counsel.