PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2026-03-01T04:04:26.439402169+00:00

Don’t trust TrustConnect: This fake remote support tool only helps hackers

###
A fake remote monitoring tool, supported by a subscription service and a website used to promote it, is used to manage compromised systems.

[Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer.]

Credit: Tero Vesalainen / Shutterstock

After breaking into a system, crooks often install legitimate remote admin tools to keep a foothold on the network — with the risk that the tool’s vendor spots them and locks them out. Now they have a new option: a fake remote monitoring and management (RMM) tool, complete with serious-looking online storefront, built just for them.

“TrustConnect,” the malware-as-a-service (MaaS) spotted by researchers at Proofpoint, has a website to promote it and all the support infrastructure necessary to manage compromised machines. A subscription to it is advertised at $300 per month.

Proofpoint disrupted some of the malware’s infrastructure with help from intelligence partners, the company said in a blogpost, “But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.”

The researchers noted links between the TrustConnect operation and activity involving the RedLine stealer, based on malware characteristics and their own intelligence.

Social engineering for initial access

Victims are tricked into installing TrustConnect under the pretense of legitimate remote support, Proofpoint said. Rather than exploiting vulnerabilities for silent deployment, the attackers depend on user interaction to execute the program.

“Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes,” the researchers wrote. The MaaS offers its customers varying templates depending on intended brand abuse: “Beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.”

The attackers have also created signed executables that impersonate installers for widely used software such as Zoom, Microsoft Teams, Adobe Reader, and Google Meet, with matching icons and metadata. Victims are encouraged to download them by clicking on a link in an email, which then automatically registers infected systems in the operator’s control panel on the TrustConnect website, essentially making TrustConnect a remote access trojan (RAT).

In one particular campaign leveraging a single compromised sender, lures included URLs leading to ScreenConnect installation from Jan. 31 to Feb. 1, and then on Feb. 3 to TrustConnect and LogMeln Resolve installations.

Attackers use a dual-purpose website

The TrustConnect website has realistic marketing language, feature descriptions, and documentation that serves both as a public-facing front to promote the software and as a backend portal for customers who purchase access to the tool’s malicious services.

“Cybercriminals are instructed to sign up for a ‘free trial,’ instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal,” the researchers said, adding that the customers are charged $300 per month for a web-based C2 dashboard with a list of devices that have the RAT installed. A subscription allows executing commands, transferring files and connecting remotely to the infected devices.

Additionally, the subscribers get a downloadable EXE file recommended to upload on their own hosting for controlled targeting and better results.

The trustconnectsoftware[.]com domain was created on Jan. 12, 2026.

“The malware creator (also) uses the domain as the ‘business website’ designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation,” Proofpoint researchers wrote.

Proofpoint suspects the actor used large language models (LLMs) to create TrustConnect. It shared a list of indicator URLs to support detection efforts, warning that TrustConnect has potential to become a full-blown campaign, now with a more advanced variant, DocConnect.

Network SecuritySecurityMalwareCybercrimeSocial Engineering

Related content

[News

New phishing campaign tricks employees into bypassing Microsoft 365 MFA

By Howard Solomon

Feb 19, 2026 6 mins](https://www.csoonline.com/article/4134874/new-phishing-campaign-tricks-employees-into-bypassing-microsoft-365-mfa.html)

Original source

Reply