Home Security Network Security by Shweta Sharma Senior Writer Don’t trust TrustConnect: This fake remote support tool only helps hackers News Feb 20, 2026 4 mins A fake remote monitoring tool, supported by a subscription service and a website used to promote it, is used to manage compromised systems. Credit: Tero Vesalainen / Shutterstock After breaking into a system, crooks often install legitimate remote admin tools to keep a foothold on the network — with the risk that the tool’s vendor spots them and locks them out. Now they have a new option: a fake remote monitoring and management (RMM) tool, complete with serious-looking online storefront, built just for them. “TrustConnect,” the malware-as-a-service (MaaS) spotted by researchers at Proofpoint, has a website to promote it and all the support infrastructure necessary to manage compromised machines. A subscription to it is advertised at $300 per month. Proofpoint disrupted some of the malware’s infrastructure with help from intelligence partners, the company said in a blogpost , “But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.” The researchers noted links between the TrustConnect operation and activity involving the RedLine stealer, based on malware characteristics and their own intelligence. Social engineering for initial access Victims are tricked into installing TrustConnect under the pretense of legitimate remote support, Proofpoint said. Rather than exploiting vulnerabilities for silent deployment, the attackers depend on user interaction to execute the program. “Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes,” the researchers wrote. The MaaS offers its customers varying templates depending on intended brand abuse: “Beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.” The attackers have also created signed executables that impersonate installers for widely used software such as Zoom, Microsoft Teams, Adobe Reader, and Google Meet, with matching icons and metadata. Victims are encouraged to download them by clicking on a link in an email, which then automatically registers infected systems in the operator’s control panel on the TrustConnect website, essentially making TrustConnect a remote access trojan ( RAT ). In one particular campaign leveraging a single compromised sender, lures included URLs leading to ScreenConnect installation from Jan. 31 to Feb. 1, and then on Feb. 3 to TrustConnect and LogMeln Resolve installations. Attackers use a dual-purpose website The TrustConnect website has realistic marketing language, feature descriptions, and documentation that serves both as a public-facing front to promote the software and as a backend portal for customers who purchase access to the tool’s malicious services. “Cybercriminals are instructed to sign up for a ‘free trial,’ instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal,” the researchers said, adding that the customers are charged $300 per month for a web-based C2 dashboard with a list of devices that have the RAT installed. A subscription allows executing commands, transferring files and connecting remotely to the infected devices. Additionally, the subscribers get a downloadable EXE file recommended to upload on their own hosting for controlled targeting and better results. The trustconnectsoftware[.]com domain was created on Jan. 12, 2026. “The malware creator (also) uses the domain as the ‘business website’ designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation,” Proofpoint researchers wrote. Proofpoint suspects the actor used large language models (LLMs) to create TrustConnect. It shared a list of indicator URLs to support detection efforts, warning that TrustConnect has potential to become a full-blown campaign, now with a more advanced variant, DocConnect. Network Security Security Malware Cybercrime Social Engineering Related content News New phishing campaign tricks employees into bypassing Microsoft 365 MFA By Howard Solomon Feb 19, 2026 6 mins Authentication Multifactor Authentication Phishing News ‘Dead’ Outlook add-in hijacked to phish 4,000 Microsoft Office Store users By John E. Dunn Feb 12, 2026 4 mins Communications Security Email Security Phishing News New phishing attack leverages PDFs and Dropbox By Taryn Plumb Feb 2, 2026 6 mins Cybercrime Phishing Social Engineering Other Sections PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe by Shweta Sharma Senior Writer Follow Shweta Sharma on X Follow Shweta Sharma on LinkedIn Shweta has been writing about enterprise technology since 2017, most recently reporting on cybersecurity for CSO online. She breaks down complex topics from ransomware to zero trust architecture for both experts and everyday readers. She has a postgraduate diploma in journalism from the Asian College of Journalism, and enjoys reading fiction, watching movies, and experimenting with new recipes when she’s not busy decoding cyber threats. More from this author news Your personal OpenClaw agent may also be taking orders from malicious websites Feb 27, 2026 4 mins news Microsoft warns of job‑themed repo lures targeting developers with multi‑stage backdoors Feb 25, 2026 3 mins news Shai-Hulud-style NPM worm hits CI pipelines and AI coding tools Feb 24, 2026 3 mins news New Arkanix stealer blends rapid Python harvesting with stealthier C++ payloads Feb 23, 2026 3 mins news Six flaws found hiding in OpenClaw’s plumbing Feb 19, 2026 3 mins news Keenadu: Android malware that comes preinstalled and can’t be removed by users Feb 18, 2026 4 mins news ZeroDayRAT spyware targets Android and iOS devices via commercial toolkit Feb 17, 2026 4 mins news Leaky Chrome extensions with 37M installs caught divulging your browsing history Feb 16, 2026 3 mins Show me more Popular Articles Podcasts Videos news One of the ‘most influential cybersecurity’ roles will pay under $175,000 By Maxwell Cooter Feb 27, 2026 2 mins CSO and CISO Government Government IT news US authorities punish sellers of malware and spyware By Maxwell Cooter Feb 27, 2026 2 mins Cybercrime Legal Vulnerabilities opinion Why application security must start at the load balancer By Vishnu Gatla Feb 27, 2026 8 mins Application Security Security podcast CSO Executive Sessions ASEAN: From Compliance to Cyber Resilience-Securing Patient Trust in Southeast Asia’s Hospitals By Estelle Quek Feb 24, 2026 23 mins Cyberattacks Cybercrime Ransomware podcast How Intelligence and AI Are Changing Cyber Defense | Erin Whitmore, Former CIA By Joan Goodchild Feb 4, 2026 28 mins Cyberattacks Cybercrime podcast Inside the SMB Threat Landscape: AT&T’s Senthil Ramakrishnan on Why Small Businesses Are Cybercrime’s Favorite Target By Joan Goodchild Jan 13, 2026 23 mins Cybercrime Small and Medium Business video CSO Executive Sessions ASEAN: From Compliance to Cyber Resilience-Securing Patient Trust in Southeast Asia’s Hospitals By Estelle Quek Feb 24, 2026 23 mins CSO and CISO Electronic Health Records Ransomware video How Intelligence and AI Are Changing Cyber Defense | Erin Whitmore, Former CIA By Joan Goodchild Feb 4, 2026 28 mins Cyberattacks Cybercrime video Inside the SMB Threat Landscape: AT&T’s Senthil Ramakrishnan on Why Small Businesses Are Cybercrime’s Favorite Target By Joan Goodchild Jan 13, 2026 23 mins Cybercrime Small and Medium Business