TrustConnect: a RAT in disguise
News
Security
trustconnect-een-rat-in-vermomming
Published by
WINMAG Pro Editorial Team
Tue, 24 March 2026, 05:20
Share
Researchers from cybersecurity company Proofpoint share new insights following their investigation into TrustConnect. Due to the large number of existing tools for remote access management that cybercriminals can choose from and the prevalence in the threat landscape, TrustConnect resembled a legitimate Remote Monitoring and Management (RMM) tool that was abused. It even had a fake business website and an Extended Validation (EV) code certificate. Although it presents itself as enterprise software, recent research indicates that it is a new Malware-as-a-Service (MaaS) classified as a remote access trojan (RAT).

Cybercriminals are increasingly integrating malware into business tools. They abuse trust features such as EV certificates. AI tools also contribute to the speed at which cybercriminals innovate their attacks and can deploy them even faster.

Read also: New report: 57% of SMEs do not see print security as a priority, while printers are often trusted by default

Furthermore, the research shows that:

  • TrustConnect poses as legitimate IT support software but operates as a full-featured backdoor with remote desktop access, command execution, and file transfer.
  • EV certificates are abused, with the operator receiving a legitimate Extended Validation certificate. This allows it to digitally sign malware, enabling it to bypass security checks before researchers can coordinate the revocation.
  • The malware is delivered alongside or through legitimate tools such as ScreenConnect and LogMeIn. This reflects a significant overlap with the current cybercriminal infrastructure.
  • After disrupting the infrastructure, the threat actor switches to a new infrastructure. Here, it begins testing a new version, the so-called DocConnect. This indicates a rapid adaptability.
  • Based on artifacts from the ecosystem and operational overlap, researchers conclude that the threat actor was previously involved in Redline stealer activities.

Read also: HarfangLab warns of new AI-driven cyber risks

Disrupting MaaS activities gave cybercriminals the opportunity to fill gaps in the cybercrime market. And while these disruptions are effective and come with necessary costs, it appears that cybercriminals will always seek new ways to victimize. TrustConnect poses as legitimate RMM, but the bait, attack chains, and follow-up payloads (including RMMs) show similarities to techniques and delivery methods often observed in RMM abuse campaigns. This method is used by multiple threat actors. Additionally, it is highly likely that both the TrustConnect and DocConnect websites and agents are coded using AI agents. A new version will be significantly more advanced. Threat actors rapidly renew their methods thanks to AI, allowing them to maintain momentum. It is therefore even more important to respond to this.

For more information, read the full English report here.

Read also: Almost half (44%) of organizations prioritize cybersecurity in video investments

het-cms-evolueert-waarom-intentie-de-nieuwe-interface-wordt
News

The CMS is evolving: why intention is becoming the new interface

Tuesday 31 March 2026 - 14:45
tot-leven-gebracht-meesterwerk-wint-ai-kunst-competitie-google
News
Software

Masterpiece brought to life wins Google AI art competition

Tuesday 31 March 2026 - 01:05
asus-republic-of-gamers-strix-laptoplijn-keert-terug-met-de-nieuwste-intel-core-ultra-9-290hx-plus
News
Hardware

ASUS Republic of Gamers Strix laptop line returns with the latest Intel Core Ultra 9 290HX Plus processors

Monday 30 March 2026 - 03:35
nieuwe-automatiseringstool-moet-ai-bruikbaar-maken-in-gesloten-zorgsystemen
News
Software

New automation tool aims to make AI usable in closed healthcare systems

Sunday 29 March 2026 - 06:20