Kaspersky says 90+ spoofed domains use malicious installers and SEO to deliver AsyncRAT to Windows systems through ScreenConnect.
Securonix says PureLogs infection starts with a fake PDF JavaScript file and uses PowerShell, fileless .NET loading, and LOLBins.