CyberWire Daily - A wolf in admin clothing. [Research Saturday]
Episode Date: April 11, 2026Today we are joined by Selena Larson, Threat Researcher from Proofpoint research team and co-host of Only Malware in the Building, talking about their work on "(Don't) TrustConnect: It's a RAT in an ...RMM hat." Proofpoint uncovered TrustConnect, a malware-as-a-service platform posing as a legitimate remote monitoring and management (RMM) tool, but actually functioning as a remote access trojan (RAT) sold to cybercriminals for $300/month. The operation used a fake business website, legitimate-looking certificates, and branded installers (like fake Microsoft Teams or Zoom apps) to trick victims, while providing attackers with full remote control, file transfer, and surveillance capabilities. Although parts of its infrastructure were disrupted, the threat actor quickly rebounded with new variants, highlighting both the resilience of the operation and its deep ties to the broader cybercriminal ecosystem abusing RMM tools. The research and executive brief can be found here: (Don't) TrustConnect: It's a RAT in an RMM hat Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel.
Outpacing what's next in social engineering.
Learn more at doppel.com.
That's D-O-P-P-E-L.com.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting our students.
ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
And so ultimately what we identified was it's this fake RMM.
It's a malware, a remote access trojan that's masquerading as a remote monitoring and
management tool.
And they had everything looked legit.
So they had this likely AI generated website, just totally vibe coded that said, hey, you know,
we're this brand new RM.
Here's our customer testimonials.
Here's all the customers that we have, and here's how you can download this remote monitoring and management tool, which of course was actually malware.
That's Selena Larson, threat researcher from ProofPoint's research team.
The research we're discussing today is titled Don't Trust Connect.
It's a rat in an RMM hat.
Well, it has the word trust right there in the title.
I don't see what can possibly go wrong.
Exactly. Trust us. It's real. We promise.
So this business website doubles as the malware control panel.
Can you suss that out for us?
How does that work and why does this end up being a really effective social engineering tactic?
Yeah, so it's actually really interesting because the users are like regular people
aren't really actually meant to see the Trust Connect website.
They're just meant to see the Trust Connect download.
But for users of Trust Connect, they,
go to this website and it says try us out, try for free. And you click on the try for free button.
It gets you to log in. And then you actually say, hold on, wait a minute here. This looks like
not an RM, but, you know, something that you don't actually have access to because you have to pay
with Bitcoin, cryptocurrency, in order to actually access this particular panel. So, so yeah,
so it's actually kind of masquerading as like a front. So basically what they did was they created this
website to look legitimate and then they applied for an extended valid or somehow maliciously
bought a real extended validation certificate. And so this was basically what they were,
that what they were showing, right? This extended validation certificate is an extra layer
of security. It goes through additional, you know, I really am who I am. So additional validation.
And so, you know, it tends to be more trustworthy than other certificates that threat actors will
use. And so they did a lot of social engineering to make themselves look real. However,
again, we mentioned it was suspected to be vibe coded and vibe coded not great.
Okay. Go on. Yeah. So essentially, without getting into too many details, essentially what they did
was they just didn't have security on their website. Turns out, web design is a special skill
that isn't necessarily just something that you're able to vibe code without no.
knowing all of the requirements and all the things that you have to put into the actual design,
into the HTML, into your web development code to be able to restrict access to various users.
And so if you do web design quite badly and don't know what you're doing,
it's possible to check the HTML, check some of the code, and look at the different
communications and connections that are happening and say, oh, I wonder if I could try and
access this page.
And essentially it was basically exposing a lot more information that I think that they meant to.
So yeah, so it turns out you might be a good malware developer, but a terrible web developer.
Different skill set.
AI doesn't immediately make you great at everything.
That's interesting.
Well, let's go through a typical infection chain here from start to finish.
How does it work?
Yeah.
So what we're seeing is this tool being delivered via email.
And what's actually really interesting is we've seen campaigns delivering multiple different
RMMs alongside Trust Connect.
And Trust Connect campaigns themselves use lores and themes and executable file names
that are very, very commonly observed in the RM ecosystem.
So we see, for example, document sharing party invitations.
That's a very popular one.
teams messages,
just social security administration.
That's another one that we see a lot of in the RMM ecosystem.
And basically what this actor did is it seems that this person is,
or this actor group is familiar with the RM ecosystem,
what lures they're using.
And so they kind of provide that to the users of the malware.
We can say, okay, here's the payload that you can use.
Here's some social engineering techniques.
So what we see in the actual attack chain is,
there will be an email that comes through that will pretend to be something like an invitation
to bid or party invitation or social security information, and it will contain a URL.
So that URL will then lead to the download of the Trust Connect executable that, again,
it's pretending to be an RMM, but really what it is is a remote access Trojan.
So once I have that installed on my system, what happens next?
So essentially it does, well, when we think about what an RMM does, it has a lot of similar capabilities to a remote access Trojan, right?
So essentially you can use it to steal data, to conduct account takeovers, to install additional malware, to move laterally within an organization, basically sort of take over the host and potentially conduct follow-on activities.
You mentioned that Trust Connect is sort of one of many tools that we see in this broader ecosystem of RMM abuse.
Do you have any insights on what that ecosystem looks like today?
How does this tool plug into it?
Yeah, so it's important to note, too, that the RMM abuse is real software, is being maliciously used.
This one is just pretending to be an RMM, but it's actually a malware.
So it's really interesting because I think that this actor maybe potentially saw the efficacy of RMM tooling and how widespread it was across the landscape.
And we're seeing so many different actors with different levels of sophistication distributing remote monitoring and management tooling.
In those cases, they will typically be a URL again, like a URL to an executable that is a legitimate RM executable.
Sometimes they'll drop another RMM after it's been installed just because they might prefer it better.
But in many cases, they're actually like remote monitoring and management tooling because they are legitimate pieces of software that aren't necessarily immediately look malicious.
Users might be more accustomed to downloading and installing software that allows remote access to their corporate machine like via IT or something like that.
so it's already something that they might be used to. You might not have it on corporate block lists,
right, because it's a legitimate tool. And if you're using it within your own environment,
then it's not necessarily going to be blocked. So there are some reasons why threat actors might
use remote monitoring and management tooling over something like a piece of malware. In the cases of
trust connect is that in many cases, they were delivering something like Screen Connect or Dato or LogMe
alongside the, or prior to the Trust Connect deployment.
So let's say we saw a wave of activity for a week.
The first half of the week might be an RMM,
and then the actor switched to Trust Connect,
whether that's because they just found out about Trust Connect
or because they wanted to test out their campaign with an RMM
before switching to a rat.
There are a lot of different reasons why that might happen.
But again, in this particular case,
the malware was able to get this extended validation certificate,
so many people might have thought it was legitimate because it looked trusted.
So the cert said, yes, I'm real, trust me, and was able to sort of bypass some of those protections.
We did work with our colleagues to get that certificate revoked, so that's good.
But, you know, as you mentioned, the connect rats, we have seen this family grow.
Well, the research points out that there's a certain level of professionalism.
here. I mean, the service is not cheap, and it has a high level of professionalism and the tools.
Can you take us through that? Yeah, so it does look like the, first of all, the panel is really
well done. I mean, aside from the fact that the website itself wasn't necessarily secure,
it was designed quite well. It provided a lot of this information. It provided a lot of
context to the user like, this is what you need. It even had sort of like a support
information or it's like, yes, reach out to the support if you're having any trouble,
et cetera, et cetera. But the malware itself also provides like a lot of different installers
that can be downloaded from the executable. So the executable files, again, are things that
are very common lures that you might expect to see in an RMM campaign or just in your
general workflow. So like Zoom workspace, Adobe Reader, MS teams, Google Meet,
SSA, again, the sort of social security executable.
And then they had kind of a lot of like information on how to actually install this.
And one thing that I thought was kind of interesting was the sort of deploy page had instructions on how to run a PowerShell script to an intermediate script that would install their at.
And this is potentially used with like for actors that want to use it with Click Fix, like a Click Fix installation, which is the copy paste and run power.
shell. So it sort of had these like, okay, here's how, here's the deployment guide, here's the
installation, here's this remote power shell script, you know, here's how you can sort of have
everything just at your fingertips providing these sort of step-by-step instructions.
There's also, you know, a way to set up telegram bots so you can get some stuff dumped into
a telegram channel like maybe credentials or other information. And yeah, so it had like this pretty
sort of slick installation information.
And again, the panel looked nice, but maybe it wasn't quite as secure as customers might have thought.
We'll be right back.
This episode is brought to you by Tellus Online Security.
Oh, tax season is the worst.
You mean hack season?
Sorry, what?
Yeah, cybercriminals love tax forms.
But I've got Tellus Online Security.
It helps protect against identity theft and financial fraud,
so I can stress less during tax season, or any season.
Planes start at just $12 a month.
Learn more at talus.com slash online security.
No one can prevent all cybercrime or identity theft.
Conditions apply.
When a country's productivity cycle is broken,
people feel it in their paychecks,
their communities, their futures.
What does this mean for individuals,
communities, and businesses across the country?
Join business leaders,
policymakers, and influencers for CGs' national series
on the Canadian Standard of Living,
productivity, and innovation.
Learn what's driving Canada's productivity decline and discover actionable solutions to reverse it.
You assess with moderate confidence that the operator might have ties to the red line Steeler ecosystem.
Can you connect those dots for us?
Yes, so this was pretty fun.
So as you're logged into the panel, if you're a user using this malware, you see at the top this little banner on the website that says,
all new users must contact support at Zaki 09 on Telegram.
There's additional information where when the registration was closed for maybe because the certificate got disrupted,
the sign up page was replaced with this page that said contact Zaki 09 on Telegram.
Well, if you search for the account Zaki 09, just any sort of at Zaki 09 on the,
the internet, you will find some open source information, people talking about the VIP customer
of Operation Magnus. So Operation Magnus was a joint law enforcement effort led by the Dutch National
Police and as well as other law enforcement to disrupt Red Line as well as Meta Information
Steelers back in October. They actually dropped, you can go to Operation Magnus website and they dropped
this video that lists all of the handles of the Red Line VIP customer. So, you know, the very
aggressive users of the information stealer. And what would you know? But Sacky-09 with the same spelling
is listed as a VIP customer in Operation Magnus. So we think that given the name of the actor,
the association with Redline, the association, and clearly awareness of the overall threat
landscape, especially when it comes to RMMs and the different payloads and different social
engineering wars that are available. They're clearly already plugged into the cybercriminal
ecosystem. And that overlap just gave us some stronger affiliations. Of course, it is possible
for threat actors to reuse or steal handles. So that is another possibility. But we do think,
based off of our investigation, that they are likely related. So we did have some fun kind of
running that down.
You mentioned that through some partnerships who were able to have their certificate revoked,
but they pivoted pretty quickly after that, right?
Yeah, so there was also, the domain was also targeted and identified to be able to be removed.
But yeah, we saw new variants of sort of trust connect, including one that was dot connect,
and there were some other sort of connect malware families that have emerged,
but it's all basically the same functionality, the same websites that are vibe-coded websites
that have the sort of same visuals, very similar visuals and capabilities that is
overall part of this malware as a service.
So, you know, one operator is running these remote access trojans, threat actors can pay
to get access to the malware and then distribute their own campaigns, whether it's via email,
which is what we see, but also, of course, mass malware can be used in, you know, webinjacks,
or SEO malvertising.
So yeah, so it's really interesting that they were able to pivot quite quickly
despite some of the disruption activities that were targeted at them.
It's almost as if they expected that this could be part of the process, right?
Right, right.
Well, I mean, I guess if you're like sort of involved in the redline stealer and that got disrupted,
I mean, maybe you have a contingency plan for your malware.
once attention comes to it with something like this.
Yeah, it's part of the business plan these days.
Yes.
What are your lessons here for defenders?
The information you've gathered here,
how should people be reacting to this?
So we did provide some indicators of compromise
and information that is available for anyone who's interested in learning more.
We also are staying on top of this particular malware threat actor
by adding emerging threats rules.
So network detection signatures, they are going into ETPN, so anyone can take a look at those and use those.
But really, I think it's important to note that the TTPs that are being used to deliver, this malware, are being used to deliver a lot of different, either RMs or malware.
And in many cases, the RMs will lead to follow on malware.
So it's really important to make sure that you're defending against the techniques that are being used.
And in some cases, their mail wasn't that impressive.
So it was very clear and obvious to see that it was something that was quite malicious.
But for example, if they're impersonating the Social Security Administration and they have these things like SSA.XE, that is something that's very suspicious.
And so defenders should kind of take a look and look at unusual executables, unusual PowerShell.
definitely, especially for RMM tooling in general, make sure that you're having like a blocklist
and a safe list for known and trusted RMM domains so that users aren't able to download and
install remote monitoring and management tools that are not approved by the organization.
And even though in this case, it's Remote Access Trojan, it was posing as an RMM,
it's using a lot of the same techniques to deliver their malware.
So I think that that, you know, defending against the behaviors is something that can be very, very
important. So that's definitely something to be aware of. You mentioned much of this may have been built
with the assistance of AI. You know, it strikes me that we're seeing or the normalization of good
grammar, right, in emails, that it's no longer a tell, that they have, you know, broken grammar or
something like that. But it seems to me in this case that the look and feel of the site itself,
regardless of what's happening under the hood, lends to its legitimacy. And so do we suppose that the AI
is contributing to that as well to giving it a more clean, acceptable look?
Yeah, for sure. I mean, I think one of the big ways that the actors are using,
AI is to just make their stuff, whatever it is, look more authentic. So whether that's phishing emails,
whether that's documents, landing pages, web pages like this, I mean, part of the reason why they
created this public website was to say, hey, I'm real to get this EV certificate. So I think that
it's definitely helping. But I do think that there are some very key characteristics of AI-created
websites. And I don't know how many that you've looked at Dave, but they all sort of have the same
tells. There's a lot of
emoji. There's
a lot of the same
structure. So you have these three different boxes
and then this big web page and then you have
this rock they love the rocket ship
emoji. Everyone loves the rocket ship.
And they have these centering.
Yes. It's like they're very
blue and purple and like you know
it's like they're they're very yeah
they have this sort of same vibe and same
look. But I will say
though too I mean even
though they created a website that looks good, it didn't really function that well. And so I think
it's really important when we're talking about how AI is sort of changing the threat landscape,
it's not just this, like, everyone's better. And like, you're immediately going to be more dangerous
or more effective. Because actually, in this case, we were able to find a lot of information that
they probably wouldn't have wanted exposed because of their use of AI. And I think that, you know,
we get, a lot of people sort of get lost in this idea that AI is going to be this absolute game
changer when in reality I think of AI is just, it's a word processor for, you know, tooling. It's just,
you know, it's just this other tool in our toolbox that we can use. And if you're good at something,
it might help you do something faster, better, bigger. But if you don't have a base knowledge,
your understanding of something that you're trying to do, it can actually be a vulnerability because you don't
know how to check if something's secure or not. You don't know how to check if there's bugs in your
code or, you know, if this ransomware key is in the ransomware that I just wrote with,
with AI. Right, right. And so I think, you know, it's, it's not quite the game changer. I think that
people think it, it should be or that it currently is. And it's just, you know, it's, it's up-leveling,
but it's up-leveling everyone. And it's introducing new and more fun vulnerabilities and
gaps in threat actor behaviors that I think will actually do more to highlight different ways of
tracking them than I think they probably thought.
It makes me think about how, you know, when your kids coming up, you give them a hammer and
some nails, you know, to learn basic construction, but you don't start them out with a pneumatic
nail gun, right?
Exactly, exactly.
Like, you have to know what you're doing in order to do it effectively.
Right, right.
Our thanks to Selena Larson from ProofPoint's threat research team.
The research is titled, Don't Trust Connect.
It's a rat in an RMM hat.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite.
podcast app. Please also fill out the survey and the show notes or send an email to Cyberwire
at N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.