Proofpoint uncovers TrustConnect, a fake remote management vendor selling a RAT as legitimate enterprise software, complete with a fake website and EV certificate.
Criminals have created a fake remote management vendor called TrustConnect that sells a remote access trojan (RAT) disguised as legitimate enterprise software for $300 per month, according to researchers at Proofpoint.
Fake RMM Vendor with Real Credentials
The attackers behind TrustConnect went to extraordinary lengths to make their malicious product appear legitimate. They created a professional-looking business website at trustconnectsoftware[.]com, obtained a legitimate Extended Validation (EV) code-signing certificate, and even built fake documentation and customer statistics to convince potential buyers and certificate providers that their software was genuine.
"Initially, TrustConnect appeared to be another legitimate RMM tool being abused," Proofpoint's research team said in their Thursday post. The domain was created on January 12, and the website content was likely generated by AI, according to the researchers.
The EV certificate, while revoked on February 6, had already been used to sign malware files that remain valid. Proofpoint credits researchers at The Cert Graveyard for assisting in the certificate revocation process.
RATaaS: Remote Access Trojan as a Service
TrustConnect operates as a "RATaaS" - a remote access trojan sold as a service. The same website that markets the fake RMM also serves as the command-and-control center for the malware and the platform where criminals purchase monthly subscriptions using cryptocurrency.
Once installed, the RAT provides attackers with full mouse and keyboard control over victim machines, screen recording and streaming capabilities, file transfer functionality, command execution, and user account control bypass. This gives criminals complete remote desktop management capabilities while maintaining persistent access to infected systems.
Infrastructure Disruption and Quick Recovery
Proofpoint, working with anonymous industry partners, disrupted the RAT's command-and-control infrastructure hosted at 178[.]128[.]69[.]245 on February 17. However, the operators quickly pivoted to new infrastructure and began testing a rebranded version called "DocConnect" or "SHIELD OS v1.0."
"Shortly before publication of this report, Proofpoint analysts identified a pivot to parallel infrastructure and testing of a new agent payload," the researchers wrote.
Distribution Campaigns and Attribution
The malware has been distributed through various phishing campaigns, including one that began January 26. These emails, sent in both English and French, pretended to be invitations to submit proposals for upcoming projects. The malicious links led to an executable file called MsTeams.exe, which dropped TrustConnectAgent.exe and communicated with the RAT's command-and-control server.
Message volumes varied significantly, ranging from a few dozen to fewer than a thousand per campaign, with recipients numbering from less than ten to over one hundred per campaign, according to Proofpoint threat researcher Selena Larson.
Proofpoint attributes the TrustConnect malware "with moderate confidence" to a Redline infostealer customer based on a Telegram handle: @zacchyy09. This handle was listed for support and sales inquiries on the TrustConnect website and was also mentioned as a VIP customer in Operation Magnus, the joint law enforcement effort that took down Redline and META information-stealing malware in October 2024.
Part of Growing RMM Abuse Trend
TrustConnect represents a sophisticated evolution in the growing trend of criminals abusing remote monitoring and management software. Security firm Huntress reported a 277 percent increase in RMM abuse in 2025 compared to the previous year, accounting for 24 percent of all observed incidents.
Criminals prefer legitimate commercial software for attacks because it helps them blend into enterprise IT environments. Enterprises already use and trust many RMM tools, making them ideal for maintaining long-term access and deploying ransomware, info-stealers, and other malware.
The TrustConnect operation also distributed legitimate RMMs like ScreenConnect and LogMeIn Resolve alongside their RAT, suggesting the malware is deeply embedded in the broader ecosystem of threat actors abusing these tools.
The $300 monthly subscription fee for what appears to be enterprise-grade remote management software represents an attractive price point for criminals seeking reliable backdoor access to victim systems, making this RATaaS model potentially profitable for its operators despite the sophisticated infrastructure required to maintain the deception.
Comments
Please log in or register to join the discussion