Ethical Hacking News
A sophisticated scam involving fake remote monitoring and management software has been generating significant revenue for the perpetrators, with each victim paying $300 a month to use the service. The creators of TrustConnect took great care in making their product appear legitimate, even going so far as to build a fake business website and obtain an Extended Validation code-signing certificate.
Rossively sophisticated scam involving fake remote monitoring and management software (RMM) called "TrustConnect" has been discovered. The scammers masqueraded as legitimate enterprise software, with a fake business website and digital signature to bypass security controls. The malware creates backdoors on users' machines, providing attackers with full control over the device. The TrustConnect malware is attributed to a Redline infostealer customer, with moderate confidence, due to a Telegram handle mentioned in Operation Magnus. Distribution of TrustConnect began in January 2026, through phishing operations and other campaigns that delivered legitimate RMMs alongside it.
Recently, researchers at Proofpoint uncovered a sophisticated scam involving fake remote monitoring and management software (RMM) that has been masquerading as legitimate enterprise software. The scam, dubbed "TrustConnect," has been generating significant revenue for the perpetrators, with each victim paying $300 a month to use the service.
The creators of TrustConnect took great care in making their product appear legitimate, even going so far as to build a fake business website and obtain an Extended Validation code-signing certificate. This allowed them to digitally sign malware and bypass security controls, making it difficult for users to detect the malicious activity.
According to Proofpoint's research team, the crooks initially fooled even themselves when first discovering TrustConnect. "Initially, TrustConnect appeared to be another legitimate RMM tool being abused," they wrote in a blog post detailing their findings.
The use of legitimate remote enterprise tooling both alongside and as a follow-on malware suggests that this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools. The MaaS (Managed Access Service) provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns, Proofpoint noted.
The TrustConnect malware creates backdoors on users' machines, providing attackers with full mouse and keyboard control, including the ability to record and stream the victim's screen. It also offers other typical remote desktop management capabilities such as file transfer, command execution, and user account control bypass.
Researchers attribute the TrustConnect malware "with moderate confidence" to a Redline infostealer customer due to a Telegram handle: @zacchyy09. This was the contact info listed for support and sales inquiries on the TrustConnect website, and the handle was also mentioned as a VIP customer in Operation Magnus, the joint law enforcement effort to takedown the Redline and META information stealing malware in October 2024.
The distribution of TrustConnect began in January 2026, with several campaigns used to distribute the fake RMM. These include phishing operations that began on January 26, sending emails in both English and French purporting to be invitations to submit a proposal and bid for an upcoming project – with a malicious link to the "full project package."
Other lures used by criminals distributing TrustConnect mention taxes, shared documents, meeting invitations, events, and government themes. Multiple campaigns also delivered different – legitimate – RMMs alongside TrustConnect, including ScreenConnect and LogMeIn Resolve.
The use of legitimate remote enterprise tooling suggests that this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns. Proofpoint noted that the distribution of TrustConnect was a significant issue, highlighting the need for increased vigilance and awareness among users.
Related Information:
https://www.ethicalhackingnews.com/articles/Criminals-Cash-In-on-Fake-Remote-Monitoring-Software-Scam-Stealing-300-a-Month-from-Unsuspecting-Victims-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/19/rmm_rat_trustconnect/
https://www.theregister.com/2026/02/19/rmm_rat_trustconnect/
https://news-usa.today/fake-rmm-vendor-distributes-rat-as-a-service-trustconnect-exposed/
Published: Thu Feb 19 19:29:22 2026 by llama3.2 3B Q4_K_M
