TrustConnect: a RAT in disguise
News
Security
trustconnect-een-rat-in-vermomming
Published by
WINMAG Pro Editorial Team
Tue, 24 March 2026, 05:20
Read time: 3 min 0 sec
Share
Researchers from cybersecurity company Proofpoint share new insights following their investigation into TrustConnect. Due to the large number of existing tools for remote access management that cybercriminals can choose from and the prevalence in the threat landscape, TrustConnect resembled a legitimate Remote Monitoring and Management (RMM) tool that was abused. It even had a fake business website and an Extended Validation (EV) code certificate. Although it presents itself as enterprise software, recent research indicates that it is a new Malware-as-a-Service (MaaS) classified as a remote access trojan (RAT).

Cybercriminals are increasingly integrating malware into business tools. They abuse trust features such as EV certificates. AI tools also contribute to the speed at which cybercriminals innovate their attacks and can deploy them even faster.

Read also: New report: 57% of SMEs do not see print security as a priority, while printers are often trusted by default

Furthermore, the research shows that:

  • TrustConnect poses as legitimate IT support software but operates as a full-featured backdoor with remote desktop access, command execution, and file transfer.
  • EV certificates are abused, with the operator receiving a legitimate Extended Validation certificate. This allows it to digitally sign malware, enabling it to bypass security checks before researchers can coordinate the revocation.
  • The malware is delivered alongside or through legitimate tools such as ScreenConnect and LogMeIn. This reflects a significant overlap with the current cybercriminal infrastructure.
  • After disrupting the infrastructure, the threat actor switches to a new infrastructure. Here, it begins testing a new version, the so-called DocConnect. This indicates a rapid adaptability.
  • Based on artifacts from the ecosystem and operational overlap, researchers conclude that the threat actor was previously involved in Redline stealer activities.

Read also: HarfangLab warns of new AI-driven cyber risks

Disrupting MaaS activities gave cybercriminals the opportunity to fill gaps in the cybercrime market. And while these disruptions are effective and come with necessary costs, it appears that cybercriminals will always seek new ways to victimize. TrustConnect poses as legitimate RMM, but the bait, attack chains, and follow-up payloads (including RMMs) show similarities to techniques and delivery methods often observed in RMM abuse campaigns. This method is used by multiple threat actors. Additionally, it is highly likely that both the TrustConnect and DocConnect websites and agents are coded using AI agents. A new version will be significantly more advanced. Threat actors rapidly renew their methods thanks to AI, allowing them to maintain momentum. It is therefore even more important to respond to this.

For more information, read the full English report here.

Read also: Almost half (44%) of organizations prioritize cybersecurity in video investments

6g-hoe-ziet-de-toekomst-van-netwerken-eruit
News
Software

6G: what does the future of networks look like?

Saturday 16 May 2026 - 10:30
nederland-scoort-te-laag-op-digitale-weerbaarheid
News
Software
3+

The Netherlands scores too low on digital resilience

Thursday 14 May 2026 - 08:00
risicos-van-niet-goedgekeurde-ai-tools-in-bedrijven
News
Software

Risks of unapproved AI tools in companies

Tuesday 12 May 2026 - 13:20
maak-je-it-continuiteitsplan-toekomstbestendig
News

Make your IT continuity plan future-proof

Wednesday 6 May 2026 - 22:15