Don't TrustConnect: It's a RAT in an RMM Hat
Summary:
Proofpoint threat researchers have uncovered a sophisticated Malware-as-a-Service (MaaS) operation branded as TrustConnect, which represents a deceptive evolution in the Remote Monitoring and Management (RMM) threat landscape. While typical cybercriminal activity involves the abuse of legitimate tools like ScreenConnect or AnyDesk, the operators of TrustConnect have built an entire fraudulent ecosystem from the ground up to mimic a professional software vendor. The campaign, which surfaced in early 2026, utilizes a highly polished "business website" (trustconnectsoftware[.]com) likely crafted with the assistance of Large Language Models (LLMs) to provide a facade of legitimacy. This site includes fabricated customer testimonials, software documentation, and a functional portal where affiliate cybercriminals can purchase subscriptions for approximately $300 USD per month via cryptocurrency. To bypass modern endpoint security solutions and reputation-based filtering, the threat actor successfully navigated the rigorous verification process required to obtain an Extended Validation (EV) code-signing certificate. Registered under the shell entity "TrustConnect Software PTY LTD" out of South Africa, this certificate allowed the malware—a potent Remote Access Trojan (RAT), to appear as trusted software to the Windows operating system and many EDR platforms. The malware itself is a full-featured RAT capable of shell command execution, file exfiltration, and real-time remote desktop streaming via WebSockets.
The campaign's delivery methods are equally diverse, utilizing compromised email accounts to send lures such as "bid invitations" and "event notifications" in multiple languages. Although Proofpoint and its intelligence partners successfully coordinated the revocation of the EV certificate in early February 2026, the threat actor demonstrated remarkable operational resilience. Almost immediately following the disruption of TrustConnect, the actor stood up a nearly identical infrastructure under the name DocConnect, signaling an ongoing and adaptive threat to global organizations.
Security Officer Comments:
This campaign highlights a critical shift in the "Chain of Trust." We are seeing a move away from the simple exploitation of software vulnerabilities toward the exploitation of human and technical verification processes. For organizations, the primary risk is the erosion of the "signed binary" as a reliable indicator of safety. If a help desk technician or a system administrator sees a signed "TrustConnect" or "DocConnect" agent, they are statistically less likely to report it as a threat compared to an unsigned executable.
The impact of a TrustConnect infection is substantial. Because the tool is designed to mimic RMM software, its behavior (such as remote desktop streaming and file transfers) often blends in with legitimate administrative activity. This allows an attacker to maintain long-term persistence, harvest credentials, and eventually deploy secondary payloads like ransomware without triggering standard behavioral alerts. We assess with moderate confidence that the actors behind this service were previously prominent users of Redline Stealer, suggesting they possess a deep understanding of how to monetize stolen data and access. For our members, this means that a single TrustConnect infection should be treated not just as a malware incident, but as a precursor to a full-scale network intrusion.
Suggested Corrections:
To defend against TrustConnect and its successors like DocConnect, organizations should implement a multi-layered defense strategy focused on application control and network visibility:
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat
Proofpoint threat researchers have uncovered a sophisticated Malware-as-a-Service (MaaS) operation branded as TrustConnect, which represents a deceptive evolution in the Remote Monitoring and Management (RMM) threat landscape. While typical cybercriminal activity involves the abuse of legitimate tools like ScreenConnect or AnyDesk, the operators of TrustConnect have built an entire fraudulent ecosystem from the ground up to mimic a professional software vendor. The campaign, which surfaced in early 2026, utilizes a highly polished "business website" (trustconnectsoftware[.]com) likely crafted with the assistance of Large Language Models (LLMs) to provide a facade of legitimacy. This site includes fabricated customer testimonials, software documentation, and a functional portal where affiliate cybercriminals can purchase subscriptions for approximately $300 USD per month via cryptocurrency. To bypass modern endpoint security solutions and reputation-based filtering, the threat actor successfully navigated the rigorous verification process required to obtain an Extended Validation (EV) code-signing certificate. Registered under the shell entity "TrustConnect Software PTY LTD" out of South Africa, this certificate allowed the malware—a potent Remote Access Trojan (RAT), to appear as trusted software to the Windows operating system and many EDR platforms. The malware itself is a full-featured RAT capable of shell command execution, file exfiltration, and real-time remote desktop streaming via WebSockets.
The campaign's delivery methods are equally diverse, utilizing compromised email accounts to send lures such as "bid invitations" and "event notifications" in multiple languages. Although Proofpoint and its intelligence partners successfully coordinated the revocation of the EV certificate in early February 2026, the threat actor demonstrated remarkable operational resilience. Almost immediately following the disruption of TrustConnect, the actor stood up a nearly identical infrastructure under the name DocConnect, signaling an ongoing and adaptive threat to global organizations.
Security Officer Comments:
This campaign highlights a critical shift in the "Chain of Trust." We are seeing a move away from the simple exploitation of software vulnerabilities toward the exploitation of human and technical verification processes. For organizations, the primary risk is the erosion of the "signed binary" as a reliable indicator of safety. If a help desk technician or a system administrator sees a signed "TrustConnect" or "DocConnect" agent, they are statistically less likely to report it as a threat compared to an unsigned executable.
The impact of a TrustConnect infection is substantial. Because the tool is designed to mimic RMM software, its behavior (such as remote desktop streaming and file transfers) often blends in with legitimate administrative activity. This allows an attacker to maintain long-term persistence, harvest credentials, and eventually deploy secondary payloads like ransomware without triggering standard behavioral alerts. We assess with moderate confidence that the actors behind this service were previously prominent users of Redline Stealer, suggesting they possess a deep understanding of how to monetize stolen data and access. For our members, this means that a single TrustConnect infection should be treated not just as a malware incident, but as a precursor to a full-scale network intrusion.
Suggested Corrections:
To defend against TrustConnect and its successors like DocConnect, organizations should implement a multi-layered defense strategy focused on application control and network visibility:
- RMM Allow-Listing: Organizations should strictly enforce a "deny-by-default" policy for all remote administration tools. Only pre-approved RMM software should be permitted to execute. Any unauthorized RMM-like activity should trigger an immediate high-priority alert.
- Certificate Revocation Checks: Ensure that all endpoints are configured to perform real-time certificate revocation checks. While the TrustConnect certificate has been revoked, some systems may still trust the binary if they are relying on cached revocation lists or are unable to reach revocation servers.
- WebSocket Monitoring: Security teams should monitor for persistent outbound WebSocket (WS/WSS) connections to non-standard or newly registered domains. TrustConnect relies on these protocols for its C2 heartbeat and remote viewing capabilities.
- Hunting for NRDs (Newly Registered Domains): Implement DNS filtering or SIEM alerts for any connection attempts to domains registered within the last 30 days. Both trustconnectsoftware[.]com and networkservice[.]cyou were utilized shortly after registration.
- Scripting & PowerShell Security: Since the malware is often delivered via PowerShell loaders, organizations should enforce PowerShell Constrained Language Mode and monitor for high-risk cmdlets.
- User Education: Update security awareness training to specifically address the risk of "shadow RMM." Employees should be instructed never to download "support agents" or "connectivity tools" from links in unsolicited emails, even if the website looks professional and the software appears "digitally signed."
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat