Crims create fake remote management vendor that actually sells a RAT

Fake RMM vendor is actually a remote access trojan

Security researchers have uncovered a fake remote monitoring and management software vendor that is actually a remote access trojan sold as a service. The malware, called TrustConnect, was discovered by researchers at Proofpoint in late January.

The criminals created a sophisticated facade, including a business website and a legitimate Extended Validation code-signing certificate. This allowed the signed malware to bypass security controls more easily.

RMM abuse is skyrocketing

Criminals increasingly prefer abusing legitimate commercial software for attacks because it helps them hide within enterprise IT environments. Remote monitoring and management tools have become a top choice.

These tools provide a direct pipeline to victims' machines for deploying ransomware and stealing information. Security firm Huntress reported a 277 percent jump in RMM abuse in 2025 compared to the prior year.

Such abuse now accounts for 24 percent of all observed incidents.

A convincing fake business

The operators registered the domain trustconnectsoftware[.]com on January 12. Proofpoint assesses the website content was likely written by an AI.

The site served a dual purpose: to convince the public and certificate providers of legitimacy, and to act as a command-and-control center. Customers purchased monthly subscriptions using cryptocurrency.

• Fake customer statistics and software documentation were posted.
• The site was used to obtain a legitimate EV code-signing certificate.
• It functioned as the malware's command hub.

The certificate was revoked on February 6, but any files signed before that date remain valid. The primary command server was also disrupted by February 17.

Malware capabilities and quick recovery

The TrustConnect RAT gives attackers full control over infected machines. Its capabilities are extensive.

• Full mouse and keyboard control
• Screen recording and streaming
• File transfer and command execution
• User account control bypass

Despite the infrastructure takedown, the operators quickly recovered. They pivoted to new servers and began testing a rebranded version called "DocConnect" or "SHIELD OS v1.0."

Attribution and distribution campaigns

Proofpoint attributes the malware "with moderate confidence" to a customer of the Redline infostealer. The link is a Telegram handle, @zacchyy09, listed for support on the fake website.

This same handle was mentioned as a VIP customer during Operation Magnus, the 2024 law enforcement takedown of Redline and META stealers.

The malware was distributed through multiple phishing campaigns starting January 26. Lures included:

• Emails posing as project proposal invitations
• Messages about taxes, shared documents, and government themes
• Fake meeting and event invitations

In some campaigns, TrustConnect was delivered alongside legitimate RMM tools like ScreenConnect and LogMeIn Resolve. This blending tactic further embeds the malicious activity within normal enterprise traffic.