Fake IT Tool, Real Threat: Proofpoint Uncovers “TrustConnect” RAT Masquerading as Legitimate RMM Software

CyberDefender 6 mins0

In February 2026, cybersecurity researchers uncovered a new type of malware-as-a-service (MaaS) that poses as a legitimate remote monitoring and management (RMM) tool. Dubbed TrustConnect, this threat specifically masquerades as enterprise-grade RMM software while functioning as a Remote Access Trojan (RAT) — giving attackers covert, persistent control over compromised systems.

Malware-as-a-Service Disguised as RMM

RMM tools are legitimate applications used by IT administrators to manage endpoints remotely. Threat actors often abuse these tools by deploying them via phishing campaigns or bundling them with malware. What makes TrustConnect noteworthy is that it pretends to be an RMM product in its own right, rather than simply piggybacking on existing software.

TrustConnect’s ecosystem revolves around a fraudulent “business portal” website that markets the RAT like a commercial service. The threat actor behind it even acquired a digital Extended Validation (EV) certificate to make the infrastructure appear authentic, improving its chances of evading security tools that trust signed binaries.

How the Scheme Works

1. Fake Marketing Front

The TrustConnect website (e.g., trustconnectsoftware[.]com) is engineered to look like software vendor marketing and support pages, complete with fake documentation, brand imagery, and automated content generation (likely via LLM). This site also doubles as the malware’s Command & Control (C2) panel for subscribing attackers.

2. Subscription-Based Malware Distribution

Attackers can register an account, pay a subscription (advertised as USD $300/month via cryptocurrency), and gain access to:

  • A web-based C2 dashboard
  • Automated payload generation with digital signatures
  • Remote desktop capabilities
  • “Branded” installer builds that impersonate common applications
    (e.g., Zoom, Microsoft Teams)

Because these installers carry legitimate-looking signatures, they can evade some defensive controls that rely on code signing as a trust signal.

3. Phishing and Malware Campaigns

Proofpoint observed multiple email campaigns using TrustConnect payloads. Emails were crafted with social engineering themes — invitations to bids, meeting notices, tax forms, government events, and other lures — to trick recipients into executing malicious installers. These campaigns often bundled TrustConnect with legitimate remote administration tools, further confusing defenders.

Inside the Malware’s Architecture

Once executed, TrustConnect RAT establishes communication with its C2 infrastructure and checks in with the remote server using the same API interface as the web portal. Indicators of compromise include:

  • API endpoints like POST /api/agents/register
  • Infected devices showing up on the attacker dashboard
  • PowerShell-based deployment scripts

The RAT supports typical remote access malware functionality, including:

  • Remote desktop control with full keyboard and mouse access
  • File transfer and system information gathering
  • Execution of arbitrary commands
  • Grouping of devices for coordinated operations

A notable design choice is that audit logs cannot be disabled, which ensures that victims’ activity is recorded — but this information is logged for the attacker’s benefit.

Implications for Security Defenders

RMM Tools as an Attack Vector

The TrustConnect case reinforces how remote administration tools — whether legitimate or not — are attractive to threat actors. RATs grant attackers full control over systems, often bypassing firewalls and network security controls. RATs of this nature allow:

  • Persistent access
  • Data exfiltration
  • Lateral movement within networks
    (For general RAT behavior context, see Proofpoint’s RAT definition.)

MaaS Services Lower Barriers

By offering malware via a subscription model with branded dashboards and C2 automation, operators lower the technical barrier for less skilled cybercriminals. This aligns with broader trends in the cybercriminal ecosystem, where Malware-as-a-Service reduces complexity and increases attack volume.

Conclusions and Best Practices

TrustConnect represents a sophisticated evolution in RAT delivery, combining phishing, social engineering, code signing abuse, and legitimate-looking infrastructure to deceive victims and security tools alike. Organizations should:

  • Treat unexpected executable attachments with high suspicion
  • Deploy advanced threat detection that does not rely solely on code signing
  • Educate users about phishing lures that weaponize business and event themes
  • Monitor remote access behaviors for anomalous activity

The emergence of TrustConnect highlights that trust is the new attack surface, and that defenders must adapt beyond traditional signatures and reputation-based indicators to detect threats that masquerade as legitimate enterprise software.

CyberDefender