Fake TestDisk lure opens remote access

Search poisoning aimed at users looking for the open-source recovery utility TestDisk is being used to slip a trojanised installer on to Windows machines, abuse a Microsoft-signed binary for DLL sideloading and install ConnectWise ScreenConnect, giving attackers remote access under the cover of a legitimate administration tool. The campaign centres on a rogue site, testdisk. dev, that imitates the branding and download flow of the genuine TestDisk project while steering victims away from CGSecurity, the real home of the software.

The operation stands out because it blends familiar tactics with careful presentation. The fake site reportedly offers free downloads for TestDisk 7.2 and 7.3, echoing the real project’s language about open-source partition and data recovery. Yet the authentic TestDisk site states plainly that the tool is portable and does not require users to run an installer, a detail that sharply undercuts the credibility of any supposed standalone setup package promoted by lookalike domains.

According to threat intelligence shared by Palo Alto Networks’ Unit 42, the malicious download chain delivers a trojanised TestDisk package that ultimately pushes ScreenConnect for initial access. Public reporting on the case says the attackers also used a Microsoft-signed binary to sideload a malicious DLL, a method that helps malicious code run inside the trust halo of a legitimate executable and can reduce the chance of immediate detection by users or basic security controls.

That choice of payload is significant. ScreenConnect is a legitimate remote access and monitoring product within the ConnectWise ecosystem, marketed for remote troubleshooting and device management. In a corporate setting, software of that kind is common and often necessary. In the wrong hands, however, it gives an intruder the sort of “hands-on keyboard” access usually associated with an early foothold inside a compromised network. The problem is not the tool itself but the method of installation and the intent behind it.

The TestDisk lure also fits a broader pattern that security researchers have been tracking over the past several months. NCC Group said in March 2026 that an unknown actor had been running an SEO poisoning campaign since October 2025, using impersonation sites for more than 25 popular applications and repeatedly relying on ScreenConnect to gain initial access before delivering other malware, including AsyncRAT. Researchers said the operator had refined its infrastructure over time, shifting from static download URLs to randomised token-based delivery mechanisms. That wider backdrop suggests the TestDisk case is not an isolated gimmick but part of an increasingly polished playbook that turns ordinary web searches into infection paths.

Microsoft has documented a parallel trend. In March, its Defender Security Research Team described campaigns in which signed malware masquerading as well-known workplace applications deployed RMM tools such as ScreenConnect, Tactical RMM and Mesh Agent to establish persistence. Those incidents were delivered through phishing rather than poisoned search results, but the overlap matters: attackers are repeatedly pairing trusted branding, apparently legitimate software and authentic administrative tools to lower suspicion and extend access after the first compromise.

For defenders, the lesson is as much procedural as technical. Users hunting for utilities through search engines remain exposed to copycat domains that can rank highly enough to look credible. Brand familiarity works in the attackers’ favour, especially when the decoy page appears clean, functional and consistent with the real product’s purpose. Security teams, meanwhile, need to look beyond the simple presence of a signed executable or an established remote management product. The more telling indicators are how the file arrived, whether an unsigned or unexpected DLL was loaded beside a signed binary, and whether outbound connections point to suspicious infrastructure tied to spoofed download portals. Public reporting linked this campaign to domains including testdisk. dev and direct-download. gleeze. com, as well as an IP address flagged in shared indicators.