Malware

DocConnect

DocConnect is a rebranded, updated agent payload associated with Proofpoint’s reporting on the TrustConnect malware-as-a-service (MaaS) operation that masqueraded as a legitimate remote monitoring and management (RMM) product but functioned as a remote access trojan (RAT). Proofpoint observed the TrustConnect operator resurface after infrastructure disruption and begin testing this successor platform, referenced as “DocConnect” and also as “SHIELD OS v1.0.”

Based on Proofpoint’s preliminary analysis cited in the content, DocConnect is tied to a new parallel command-and-control (C2) environment: the C2 panel is described as a React single-page application backed by Supabase, and the agent is described as integrating SignalR (in contrast to TrustConnect’s use of raw WebSockets). The content lists networkservice[.]cyou as an indicator for DocConnect C2.

DocConnect is not described as having distinct end-user capabilities in the provided material beyond being a rebrand/updated version of the TrustConnect platform; however, it is explicitly positioned as the continuation of a RAT/RMM-masquerading MaaS ecosystem that was distributed via phishing in TrustConnect campaigns. Proofpoint assessed with moderate confidence that the TrustConnect actor was also a prominent user/customer of RedLine Stealer, and DocConnect is presented as the operator’s post-disruption pivot.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence1

CERT-UA has warned of a hacking campaign targeting Ukrainian government institutions using phishing emails containing a ZIP archive (or a link to a website vulnerable to cross-site scripting attacks) to distribute SHADOWSNIFF and SALATSTEALER...

T1566.002Spearphishing LinkEvidence1

“Messages contained URLs leading to an executable file ‘MsTeams.exe’… [which] dropped a file called ‘TrustConnectAgent.exe’…” and “Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes.”

Stealth

1 technique

T1036MasqueradingEvidence2

“a malware masquerading as an RMM called ‘TrustConnect Agent’… generates ‘branded’ installers that bundle legitimate icons and metadata… Zoom, Microsoft Teams, Adobe Reader, Google Meet… EXE files are named in line with the impersonated brand.”

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

“The screen is streamed via unauthenticated WebSocket… Viewer /ws/viewer WS Remote Desktop Stream… /ws/screen GET WebSocket Upgrade (RDP)”

T1219Remote Access ToolsEvidence1

Some campaigns have also been observed delivering legitimate remote access software like ScreenConnect and LogMeIn Resolve alongside TrustConnect...

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

help net securityNews

Feb 20, 2026

Criminals create business website to sell RAT disguised as RMM tool - Help Net Security

A rebranded/updated iteration of the TrustConnect fake-RMM/RAT platform, observed being tested after disruption of TrustConnect infrastructure.

proofpoint threat insight blogNews

Feb 18, 2026

(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US

Evolving/next-generation agent payload associated with the TrustConnect MaaS ecosystem, observed during a pivot to new infrastructure. Uses a React SPA C2 panel backed by Supabase; agent integrates SignalR (instead of raw WebSockets) and supports embedding custom PDF lures into the installer.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.