Threat Actors Expand Remote Monitoring and Management Abuse With Fake RMM Malware
Proofpoint reported a new malware-as-a-service (MaaS) offering that masquerades as a legitimate remote monitoring and management (RMM) product, branding itself as TrustConnect (delivered as “TrustConnect Agent”). Proofpoint assessed with moderate confidence that the actor behind TrustConnect was also a prominent user of Redline stealer, and said it worked with intelligence partners to disrupt parts of the malware’s infrastructure; the actor quickly showed resilience by standing up another fake RMM-themed site advertising a related malware variant called DocConnect. Proofpoint highlighted that attackers continue to favor RMM-style tooling for initial access and post-compromise control because it blends into normal enterprise remote support activity.
Separately, Dark Reading summarized findings from Huntress’ 2026 Cyber Threat Report indicating a broad surge in RMM abuse as an intrusion strategy, citing a 277% year-over-year increase in malicious RMM deployments and a corresponding decline in traditional malware usage. The report described RMM tooling as attractive to threat actors for stealth, persistence, and operational efficiency, and noted commonly abused products including ConnectWise ScreenConnect, AnyDesk, Atera, NetSupport, PDQ Connect, and Splashtop, with healthcare and technology seeing the largest increases. Together, the reporting underscores both the industrialization of RMM abuse and the emergence of purpose-built “fake RMM” malware offerings designed to look like enterprise remote support software.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Proofpoint publicly exposes TrustConnect fake RMM operation
Proofpoint published research describing TrustConnect as a malware-as-a-service RAT masquerading as a legitimate RMM product, sold for $300 per month in cryptocurrency. The report also linked the operator with moderate confidence to a prominent Redline stealer customer and documented follow-on use of legitimate RMM tools such as ScreenConnect, LogMeIn Resolve, and Level RMM.
Huntress reports major 2025 surge in attacker abuse of RMM tools
Huntress reported that abuse of legitimate remote monitoring and management tools rose 277% year over year in 2025, while use of traditional hacking tools, RATs, and malicious scripts declined. The report said attackers increasingly use RMM software as a primary command-and-control and persistence mechanism across industries.
TrustConnect operators pivot to DocConnect and new infrastructure
After the February 17 disruption, the operators rapidly reestablished operations on parallel infrastructure and began testing a rebranded payload called DocConnect, also referred to as "SHIELD OS v1.0," with a new C2 panel.
TrustConnect infrastructure is disrupted by defenders
Proofpoint and industry partners disrupted TrustConnect by taking down or otherwise disabling key website/C2 infrastructure around February 17, 2026. The trustconnectsoftware[.]com site had served as both the fake business front and centralized customer/C2 panel.
TrustConnect EV code-signing certificate is revoked
Proofpoint and partners, including The Cert Graveyard, succeeded in getting the Extended Validation code-signing certificate used by TrustConnect revoked. Previously signed binaries remained valid despite the revocation.
TrustConnect phishing campaigns begin distributing fake RMM RAT
Proofpoint observed email campaigns starting in late January 2026 that delivered signed droppers such as fake Microsoft Teams installers, using business and government-themed lures and brand impersonation to install the TrustConnect RAT.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
New malware-as-a-service fronts as legit RMM provider | SC Media
scworld.com
Open sourceCriminals create business website to sell RAT disguised as RMM tool - Help Net Security
helpnetsecurity.com
Open sourceDon’t trust TrustConnect: This fake remote support tool only helps hackers | CSO Online
csoonline.com
Open sourceRAT disguised as an RMM costs crims $300 a month • The Register
go.theregister.com
Open source(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US
proofpoint.com
Open sourceRMM Abuse Explodes as Hackers Ditch Malware
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
Apr 30, 2026
Surge in Cyberattacks Leveraging RMM Tools for Malware Deployment
Cybercriminals have increasingly targeted remote monitoring and management (RMM) tools to deploy malware and conduct large-scale cyberattacks. In 2025, attacks on RMM tools surged, with 51 different solutions identified as targets by security researchers. RMM tools, which became more prevalent during the COVID-19 pandemic to support remote work, are now being weaponized by threat actors due to their deep integration into enterprise IT environments. These tools, such as SuperOps and TeamViewer, are commonly used by IT professionals and managed service providers (MSPs) to remotely monitor, manage, and maintain client systems through centralized dashboards. Adversaries exploit these platforms by obtaining authenticated credentials, allowing them to bypass traditional security alerts and alarms. Once inside, attackers can disable scheduled backups, destroy system images and restore points, and push ransomware or other malicious payloads to thousands of endpoints simultaneously. The legitimate appearance of RMM tool traffic often allows malicious activity to evade anomaly detection systems, creating a persistent blind spot for network defenders. The elevated permissions typically granted to RMM platforms enable attackers to escalate privileges, move laterally within networks, and deliver malware efficiently. Compromising an MSP’s RMM infrastructure can have a supply chain effect, enabling attackers to pivot into multiple client environments and significantly amplifying the potential impact. This method of attack not only increases the blast radius but also enhances the monetization opportunities for cybercriminals. Security experts warn that the widespread use and trust in RMM tools make them an attractive and effective vector for cyberattacks. Organizations are urged to implement stronger authentication, monitor RMM tool usage closely, and restrict access to minimize risk. The trend highlights the need for enhanced vigilance and updated security controls around remote access and management solutions. The attacks demonstrate how tools designed for convenience and efficiency can become significant liabilities if not properly secured. The ongoing exploitation of RMM tools underscores the evolving tactics of cybercriminals in targeting trusted IT infrastructure. As attackers continue to refine their methods, defenders must adapt by prioritizing the security of remote management platforms. The surge in RMM tool exploitation serves as a stark reminder of the importance of supply chain security and the risks posed by third-party service providers. Organizations should review their incident response plans to ensure rapid detection and containment of attacks involving RMM platforms. The cybersecurity community continues to monitor this threat landscape, emphasizing the critical need for proactive defense measures.
Mar 21, 2026
Phishing Campaigns Weaponize Legitimate RMM Tools for Remote Access and Credential Theft
Threat researchers reported multiple phishing-driven intrusions in which attackers impersonate trusted brands and agencies to trick victims into installing legitimate remote monitoring and management (RMM) software for persistent access. In **Operation DoppelBrand**, financially motivated actor **GS7** spoofed Fortune 500 financial and technology brands (including **Wells Fargo** and **USAA**) using more than **150** lookalike domains to harvest credentials and exfiltrate data via attacker-controlled **Telegram bots**; researchers also identified nearly **200** additional domains with short registration terms, automated SSL, wildcard DNS, and brand-specific subdomains supporting the campaign. Separately, Forcepoint X-Labs described a wave of emails impersonating the **U.S. Social Security Administration** that delivers an attached `.cmd` script to weaken Windows defenses and enable silent installation of **ConnectWise ScreenConnect**. The script checks/elevates privileges, disables **Windows SmartScreen** via registry changes, removes **Mark-of-the-Web**, and uses **Alternate Data Streams (ADS)** for stealth before installing an MSI and configuring ScreenConnect (via `System.config`) to beacon to an attacker-controlled server (reported as `dof-connecttop` on port `8041`). Both activity sets highlight a recurring tradecraft pattern: **brand impersonation + scripted defense evasion + abuse of legitimate RMM tooling** (e.g., *LogMeIn Resolve*, *ScreenConnect*) to gain remote control and facilitate follow-on theft or persistence.
Mar 21, 2026