Crims create fake remote management vendor that actually sells a RAT

Steven

Crims create fake remote management vendor that actually sells a RAT

Summary

Researchers at Proofpoint uncovered a deceptive operation in which criminals created a fake remote monitoring and management (RMM) vendor called TrustConnect that, for $300 a month, actually supplies a Remote Access Trojan (RAT) as a service (RATaaS). The operators built a convincing website, bought an Extended Validation (EV) code‑signing certificate to make their malware appear legitimate, and used the site both as a storefront and command‑and‑control (C2) portal.

Proofpoint and industry partners disrupted the primary C2 and got the EV certificate revoked, but the adversaries quickly spun up new infrastructure and began testing rebranded payloads (eg. ‘DocConnect’ / ‘SHIELD OS v1.0’). The RAT provides full remote control (mouse/keyboard, screen streaming), file transfer, command execution and privilege bypass. Distribution campaigns included phishing lures (English and French) delivering a MsTeams.exe that drops TrustConnectAgent.exe. Proofpoint links the operation with moderate confidence to a Redline infostealer customer via a Telegram handle used on the fake site.

Key Points

  • Attackers created a fake RMM vendor, TrustConnect, that sells a RAT disguised as legitimate enterprise software for $300/month.
  • They obtained a legitimate EV code‑signing certificate to sign malware and evade security controls; the certificate was revoked but previously signed files remain valid.
  • The TrustConnect website doubled as a sales portal and the RAT’s command‑and‑control infrastructure.
  • Proofpoint and partners disrupted the main C2 and helped revoke the EV cert, but operators rapidly moved to parallel infrastructure and rebranded payloads.
  • The RAT grants attackers full remote access (screen recording/streaming, mouse/keyboard control), file transfer, command execution and account control bypass.
  • Distribution used phishing lures and bundled legitimate RMM tools alongside TrustConnect to blend into normal enterprise environments.
  • Proofpoint links the campaign to a Redline infostealer customer via a reused Telegram handle, suggesting ties into existing MaaS ecosystems.
  • RMM abuse is rising sharply — Huntress reported a 277% jump in RMM abuse in 2025, accounting for 24% of observed incidents.

Why should I read this?

Short version: crooks are pretending to be vendors so their backdoors look legit. If you manage endpoints or buy enterprise tools, this matters — quick. The story shows attackers using EV certs, realistic websites and phishing to sell a fully featured RAT. Read it so you know what to spot and block before someone pays $300 a month to own your kit.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/19/rmm_rat_trustconnect/