Crims create fake remote management vendor that actually sells a RAT
$300 a month buys you a backdoor that looks like legit software
Researchers at Proofpoint late last month uncovered what they describe as a "weird twist" on the growing trend of criminals abusing remote monitoring and management software (RMM) as their preferred attack tools.
These folks created an entirely fake RMM vendor that purports to sell enterprise software for $300 a month. In fact, it's a remote access trojan (RAT) being sold as a service. Call it a RATaaS.
The criminals behind the malware took great care to make their product appear legitimate, giving it the name TrustConnect. They even built a fake business website and obtained a legitimate Extended Validation code-signing certificate to digitally sign malware and allow it to bypass security controls.
REG AD
At first, the crooks even fooled Proofpoint’s threat hunters themselves. "Initially, TrustConnect appeared to be another legitimate RMM tool being abused," the company’s research team said in a Thursday post.
REG AD
Criminals prefer using legitimate, commercial software for nefarious purposes because it makes it easier for them to hide inside enterprise IT environments.
Over the past year or so, RMM tools have moved to the top of attackers' must-have list. There are many of them to choose from, enterprises already use and trust many of these tools, and they provide a direct, remote pipeline to victims' machines for deploying ransomware, info-stealers, and other malware, and maintaining long-term access to infected systems.
Security shop Huntress, in its annual cyber threat report released this week, noted skyrocketing RMM abuse, jumping 277 percent in 2025 compared to the year prior and accounting for 24 percent of all observed incidents.
Abuse of Trust(Connect)
The domain, trustconnectsoftware[.]com, was created on January 12 and the website there was probably written by an AI, according to Proofpoint.
"The malware creator uses the domain as the 'business website' designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation," the team wrote.
This website is also where criminals purchase (via cryptocurrency) a monthly subscription to use the service, and it acts as a command-and-control (C2) center for the malware.
The domain also likely made it easier for the malware operators to purchase a legitimate EV certificate to sign the malware. While the certificate has since been revoked as of February 6, any files signed before then remain valid. Proofpoint credits researchers at The Cert Graveyard for assisting in the revocation of the certificate.
REG AD
The malware's C2, hosted on 178[.]128[.]69[.]245, was also disrupted by Proofpoint and anonymous industry partners as of February 17. However, that doesn't appear to be costing the operators any business as they quickly spun up new infrastructure and began testing a rebranded version of the RAT.
"Shortly before publication of this report, Proofpoint analysts identified a pivot to parallel infrastructure and testing of a new agent payload, called 'DocConnect' or 'SHIELD OS v1.0,'" the researchers wrote.
The RAT backdoors users' machines and gives attackers full mouse and keyboard control, allowing them to record and stream the victim's screen. It also provides other typical remote desktop management capabilities such as file transfer, command execution, and user account control bypass.
Redline infostealer ties
Proofpoint has attributed the TrustConnect malware "with moderate confidence" to a Redline infostealer customer due to a Telegram handle: @zacchyy09. This was the contact info listed for support and sales inquiries on the TrustConnect website, and the handle was also mentioned as a VIP customer in Operation Magnus, the joint law enforcement effort to takedown the Redline and META information stealing malware in October 2024.
In the blog, the threat hunters detail several campaigns used to distribute the fake RMM, including a phishing operation that began January 26. The emails, sent in both English and French, purported to be invitations to submit a proposal and bid for an upcoming project – with a malicious link to the "full project package."
The URL leads to an executable file, MsTeams.exe, that drops another executable called TrustConnectAgent.exe and communicates with the TrustConnect RAT C2 server.
“Message volumes ranged from a few dozen to fewer than a thousand per campaign,” Proofpoint threat researcher Selena Larson, told The Register. “Campaigns also varied in terms of the number of customers receiving the messages which ranged from less than ten to over one hundred.”
REG AD
Other lures used by criminals distributing TrustConnect mention taxes, shared documents, meeting invitations, events, and government themes, we're told.
Plus, multiple campaigns delivered different – legitimate – RMMs alongside TrustConnect, including ScreenConnect and LogMeIn Resolve.
"The use of legitimate remote enterprise tooling both alongside and as a follow-on malware suggest this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns," Proofpoint noted. ®