After breaking into a system, crooks often install legitimate remote admin tools to keep a foothold on the network — with the risk that the tool’s vendor spots them and locks them out. Now they have a new option: a fake remote monitoring and management (RMM) tool, complete with serious-looking online storefront, built just for them.
“TrustConnect,” the malware-as-a-service (MaaS) spotted by researchers at Proofpoint, has a website to promote it and all the support infrastructure necessary to manage compromised machines. A subscription to it is advertised at $300 per month.
Proofpoint disrupted some of the malware’s infrastructure with help from intelligence partners, the company said in a blogpost, “But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.”
The researchers noted links between the TrustConnect operation and activity involving the RedLine stealer, based on malware characteristics and their own intelligence.
Social engineering for initial access
Victims are tricked into installing TrustConnect under the pretense of legitimate remote support, Proofpoint said. Rather than exploiting vulnerabilities for silent deployment, the attackers depend on user interaction to execute the program.
“Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes,” the researchers wrote. The MaaS offers its customers varying templates depending on intended brand abuse: “Beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.”
The attackers have also created signed executables that impersonate installers for widely used software such as Zoom, Microsoft Teams, Adobe Reader, and Google Meet, with matching icons and metadata. Victims are encouraged to download them by clicking on a link in an email, which then automatically registers infected systems in the operator’s control panel on the TrustConnect website, essentially making TrustConnect a remote access trojan (RAT).
In one particular campaign leveraging a single compromised sender, lures included URLs leading to ScreenConnect installation from Jan. 31 to Feb. 1, and then on Feb. 3 to TrustConnect and LogMeln Resolve installations.
Attackers use a dual-purpose website
The TrustConnect website has realistic marketing language, feature descriptions, and documentation that serves both as a public-facing front to promote the software and as a backend portal for customers who purchase access to the tool’s malicious services.
“Cybercriminals are instructed to sign up for a ‘free trial,’ instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal,” the researchers said, adding that the customers are charged $300 per month for a web-based C2 dashboard with a list of devices that have the RAT installed. A subscription allows executing commands, transferring files and connecting remotely to the infected devices.
Additionally, the subscribers get a downloadable EXE file recommended to upload on their own hosting for controlled targeting and better results.
The trustconnectsoftware[.]com domain was created on Jan. 12, 2026.
“The malware creator (also) uses the domain as the ‘business website’ designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation,” Proofpoint researchers wrote.
Proofpoint suspects the actor used large language models (LLMs) to create TrustConnect. It shared a list of indicator URLs to support detection efforts, warning that TrustConnect has potential to become a full-blown campaign, now with a more advanced variant, DocConnect.
No Responses