Cyber Thieves Utilize Business Website to Peddle Remote Access Trojans as Legitimate RMM Tools

Post Views: 13

Cybercriminals Peddle Remote Access Trojan as Legitimate Software

Cybercriminals have established a convincing business website to peddle a remote access trojan (RAT) disguised as a legitimate remote monitoring and management (RMM) tool. The fake RMM software, dubbed TrustConnect, is being sold as a service to other cybercriminals for $300 per month.

The TrustConnect Website and Malware

The threat actors behind TrustConnect have created a sophisticated website, complete with fake customer statistics and software documentation, to convince potential buyers and certificate providers of the tool’s legitimacy. The website, hosted on the domain trustconnectsoftware[.]com, also serves as a portal for criminals to access the command and control (C2) panel.

The use of a legitimate Extended Validation (EV) certificate, obtained through the ownership of the domain and website, allows the RAT to evade signature-based detections. The certificate was revoked on February 6, 2026, but not retroactively, leaving previously signed files still valid and distributable by existing customers.

Distribution and Deployment

TrustConnect is distributed through various campaigns using common lures, including tax-related emails, DocuSign notifications, and meeting invitations. The malware creates fake installers that mimic legitimate software, using familiar icons, names, and branding. The attackers also use generic installers branded as TrustConnect, likely intended to appear as a legitimate IT management tool.

Researchers have observed TrustConnect campaigns leading to the deployment of legitimate remote access tools, such as ScreenConnect, from at least nine distinct on-premises servers over a 10-day period. The instances were older versions signed with expired or revoked certificates, suggesting they were illegitimately purchased or possibly pirated.

Disruption and Re-emergence

Proofpoint, a cybersecurity firm, worked with industry partners to disrupt the TrustConnect operation. They collaborated with certificate-intelligence specialists to revoke the malware’s EV code-signing certificate and coordinated action against the malware’s C2 environment, which was taken offline on February 17. However, the disruption proved temporary, as the operators shifted to parallel infrastructure and began testing a rebranded, updated version of the malware platform called DocConnect.

Researchers assess with moderate confidence that the threat actor behind TrustConnect was also a prominent user of Redline stealer. They also believe that the TrustConnect and DocConnect websites and agents were likely coded with the assistance of AI agents.

Conclusion

The temporary disruption of the TrustConnect operation highlights the cat-and-mouse game between cybersecurity firms and threat actors. As one operation is disrupted, another emerges, emphasizing the need for continuous monitoring and collaboration to stay ahead of emerging threats.