Cybersecurity researchers have uncovered a new Malware-as-a-Service (MaaS) platform, dubbed TrustConnect, that masquerades as a legitimate Remote Monitoring and Management (RMM) tool while delivering a Remote Access Trojan (RAT).
According to Proofpoint, the domain trustconnectsoftware[.]com was registered on Jan. 12, 2026, and presented as a business website for “TrustConnect Agent.”
In reality, it worked as both a criminal customer portal and command-and-control (C2) server. Subscriptions were advertised at USD 300 per month, payable in cryptocurrency.
The actor, who was identified as a user of the known RedLine stealer, obtained an Extended Validation (EV) code-signing certificate under the name “TrustConnect Software PTY LTD,” valid from Jan. 27, 2026. EV certificates require enhanced identity checks and can cost thousands of dollars.
When abused, they allow malware to appear more trustworthy and evade signature-based detection tools. Proofpoint worked with researchers at The Cert Graveyard to have the certificate revoked on Feb. 6, 2026, although previously signed samples remain valid.
RMM Lures and Multi-Payload Campaigns
RMM software (including tools such as ScreenConnect and LogMeIn Resolve) is frequently abused for initial access. In this case, TrustConnect only pretended to be an RMM, but campaigns distributing it closely mirrored broader RMM abuse trends.
Proofpoint observed email campaigns beginning Jan. 26, 2026, using themes such as bid invitations, tax notices, and meeting requests. Malicious executables, including “MsTeams.exe,” were signed with the EV certificate and dropped “TrustConnectAgent.exe,” which then communicated with the C2 and often deployed additional remote access tools.
Over a 10-day period, researchers saw TrustConnect install ScreenConnect from at least nine distinct self-hosted servers, many running legacy versions of the software tools signed with revoked/expired certificates. Proofpoint also identified hands-on-keyboard activity and the abuse of a Level RMM account, which was later disabled after notification.
The TrustConnect panel provided operators with web-based device management, file transfer, remote desktop access via WebSockets, as well as audit logs. Notably, the malware communicated over standard HTTPS without extra encryption layers.
Proofpoint disrupted the primary C2 infrastructure, around 00:00 UTC on Feb. 17, 2026. Shortly before publication, researchers identified a switch to new infrastructure and a rebranded payload called “DocConnect.”
“Preliminary analysis reveals the new C2 panel is a React Single Page Application backed by Supabase,” Proofpoint explained. “Despite the architectural shift, the platform shares the distinct ‘vibe-coded’ style observed in the TrustConnect website.”
