TL;DR: A malware-as-a-service platform masquerading as a legitimate RMM tool, with a $300 monthly subscription, EV-signed installers, and campaigns that abused trusted remote access channels for delivery and follow-on payloads, was identified by Proofpoint. The real lesson is that trust branding, code signing, and familiar admin tooling can be weaponised into an access layer that outpaces conventional detection and review.
At a glance
What this is: This is an analysis of TrustConnect, a fake RMM malware-as-a-service platform that used branded installers, EV certificates, and remote access tooling to support cybercrime operations.
Why it matters: It matters because attackers increasingly abuse legitimate remote administration patterns, which means IAM, PAM, and NHI teams must treat trusted software delivery and access pathways as identity risk surfaces, not just endpoint or malware problems.
By the numbers:
- Access was advertised at $300 per month.
- The malware domain, trustconnectsoftware[.]com, was created on 12 January 2026.
- Proofpoint observed TrustConnect deploying ScreenConnect from at least nine distinct on-premises servers over a 10-day period.
👉 Read Proofpoint's analysis of the TrustConnect fake RMM malware operation
Context
RMM abuse is an identity problem as much as it is a malware problem. Remote monitoring and management tools are trusted because they are designed to establish remote control, transfer files, and execute commands at scale, which makes their access pathways attractive to attackers who want their activity to look operational rather than malicious.
In this case, Proofpoint describes a MaaS platform that impersonated an RMM product, then used signed installers, branded lures, and a subscription portal to industrialise distribution. The primary governance question is not whether the binary is malicious, but how enterprise security programmes distinguish authorised remote administration from attacker-controlled remote access when both use similar operational patterns.
For identity teams, the relevance extends beyond endpoint defense. Trusted admin channels, digitally signed payloads, and third-party remote support services all create delegated access paths that deserve lifecycle control, review, and monitoring under NHI governance and privileged access discipline.
Key questions
Q: What breaks when attackers disguise malware as a legitimate remote support tool?
A: What breaks is the trust boundary around remote administration. Users, defenders, and even certificate-based controls can mistake malicious software for approved support tooling, which lets the attacker inherit legitimacy, execute commands, and expand access before the compromise is recognised. The control failure is not just detection, but provenance and delegated-access governance.
Q: Why do fake RMM tools create more risk than ordinary malware delivery?
A: Fake RMM tools matter because they are not just payloads, they are access channels. Once installed, they can provide file transfer, remote desktop, command execution, and follow-on payload staging, which turns a single infection into a managed access path. That makes them closer to abused privileged software than to simple malicious binaries.
Q: How should security teams evaluate signed remote administration software?
A: Security teams should evaluate signed remote administration software as a privileged trust decision, not a binary allow or block question. Review the publisher, the domain, the download path, the certificate history, and the runtime behaviour together. If the software can create unattended remote control, it belongs under privileged access governance, not ordinary application approval.
Q: Who is accountable when a remote access pathway gives an attacker broad internal reach?
A: Accountability usually sits across IAM, infrastructure, and application owners, but the control failure is often a governance issue rather than a single technical mistake. Teams should be able to show who approved the access model, who owns third-party access, and who is responsible for revocation.
Technical breakdown
How fake RMM branding lowers initial access friction
Attackers use the familiar language of remote support software to reduce suspicion at the point of delivery. In a fake RMM campaign, the portal, installer names, icons, and documentation are built to resemble legitimate enterprise tooling, so the payload inherits trust from the category itself. That is a social engineering layer, but it also becomes an access layer because victims are being asked to install software that can open interactive remote control and command execution. When the package is signed and delivered through ordinary email or web workflows, the malicious activity blends into routine administration paths instead of looking like a distinct intrusion event.
Practical implication: treat remote administration installers as privileged software and require pre-approved provenance before deployment.
Why code signing and EV certificates complicate detection
Code signing is supposed to establish software integrity and publisher identity, but attackers can buy, abuse, or fraudulently obtain certificates to make malware appear legitimate. Extended Validation certificates add another trust signal because they imply additional organisational validation, which can confuse both users and some security controls. In the TrustConnect case, signed files and a business-like web presence were used together, which shows how multiple legitimacy cues can be chained to create false confidence. Signature-based controls remain useful, but they are not a substitute for provenance, behaviour, and distribution-path validation when the adversary can borrow the same trust mechanisms vendors use.
Practical implication: supplement signature checks with publisher reputation, domain registration review, and behavioural inspection.
What a MaaS C2 portal changes for command and control governance
A malware-as-a-service portal centralises operator onboarding, payment verification, payload generation, and device management in one place. That creates a repeatable business model for cybercrime, but it also standardises the attacker’s identity and access workflow, including account creation, subscription gating, OTP verification, and operator telemetry. In operational terms, the platform behaves like a service desk for abuse, with a C2 dashboard that tracks registrations, connected devices, and commands. For defenders, that means the same kind of lifecycle thinking used for third-party access and privileged service accounts becomes relevant: who is allowed, how access is granted, what evidence is retained, and when access should be revoked.
Practical implication: inventory and govern remote support services as delegated access channels, not just applications.
Threat narrative
Attacker objective: The attacker wants to gain durable, disguised remote access that can be monetised through malware distribution, follow-on payloads, and hands-on keyboard control.
- Entry occurred through phishing lures and spoofed download links that delivered executables disguised as trusted business or meeting software.
- Escalation followed when the victim ran the installer, which dropped the TrustConnect agent and connected it to an attacker-controlled C2 portal for remote command and file operations.
- Impact came from interactive remote access, follow-on payload delivery, and the ability to chain trusted remote administration tools into broader compromise activity.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Trusted remote administration is now a governance boundary, not just a tooling choice. When attackers package remote access as a legitimate-looking RMM, the real issue is that identity and access controls are being inherited from the software category rather than the operator. That creates a gap between what security teams think is approved remote support and what is actually attacker-controlled access. Practitioners should treat any remote administration pathway as a delegated identity channel with lifecycle controls, review points, and revocation expectations.
Branding plus code signing creates an identity illusion that security teams must stop trusting at face value. The combination of EV certificates, fake business pages, and branded installers does not prove legitimacy, it only proves the attacker can mimic legitimacy well enough to delay detection. This is a classic case of trust signals being detached from trustworthiness. Practitioners need to evaluate how much of their control stack still assumes that publisher identity, certificate status, or software naming is a reliable proxy for safe access.
Remote access abuse and NHI governance are converging on the same failure pattern: delegated access without lifecycle ownership. Whether the abused channel is an RMM account, a signed installer, or a subscription-backed MaaS portal, the underlying issue is the same. Access was created, operationalised, and handed to another party without strong ownership of who can use it, for how long, and under what monitoring model. Security programmes need to recognise that this is not just malware delivery, it is unmanaged delegated access.
Identity blast radius is the right concept for trusted admin tooling used by attackers. Once a remote support path can execute commands, move files, and spawn follow-on payloads, the compromise is no longer a single endpoint event. It becomes a cross-system access problem that can spread across helpdesk processes, endpoint trust, and third-party administration relationships. Practitioners should measure the blast radius of every trusted remote channel and reduce the number of systems that can be reached through a single delegated path.
Proofpoint's disruption of the infrastructure did not eliminate the pattern, which is the real warning. The actor quickly surfaced another fake RMM site, showing that the business model is resilient even when one domain is taken down. That means defenders are not dealing with a one-off sample but with an adaptable access distribution pattern. Practitioners should plan for repeatable abuse of trusted remote access rather than isolated malware events.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- That confidence gap shows why remote administration, delegated access, and third-party channels need explicit lifecycle ownership, as explored in NHI Lifecycle Management Guide.
What this signals
Trusted remote access will continue to blur into NHI governance, because the control surface is the access channel itself. When attackers can borrow the shape of legitimate RMM software, defenders need to know which remote tools are actually part of their identity estate and which are shadow access paths. The practical next step is to fold remote support and third-party administration into the same inventory and review discipline used for service accounts and other NHIs.
Identity blast radius should become a board-level metric for privileged tooling. A single remote access product can create command execution, file transfer, and lateral movement opportunities across many assets, which means one misjudged trust decision can scale quickly. Programmes that map exposed remote channels and compare them with ownership, approval, and revocation coverage will be better placed to reduce abuse.
The most useful control question is whether your organisation can prove which remote access tools are authorised, who owns them, and when each trust relationship expires. If that evidence is missing, the programme is operating on inherited trust rather than governed access, and that is exactly where fake RMM abuse succeeds.
For practitioners
- Inventory every remote administration path Map legitimate RMM tools, remote support portals, and helpdesk-admin workflows as delegated access channels. Record who can provision them, who approves them, and which systems they can reach.
- Validate software provenance before allowing execution Require internal allowlisting, publisher validation, and domain reputation checks before users can run remote access installers or scripts that establish interactive control.
- Separate signed software from trusted software Treat a valid signature as one signal, not a trust decision. Add behavioural inspection, first-seen review, and administrative approval for any installer that opens remote control or file transfer capability.
- Review revocation and offboarding for remote support accounts Ensure third-party remote access accounts, certificates, and subscription credentials have explicit owner, expiry, and revocation handling so they cannot persist after a contract or campaign changes.
Key takeaways
- TrustConnect shows that fake RMM malware is really an access governance problem disguised as a malware story.
- Proofpoint’s reporting shows how signed installers, branded lures, and remote desktop features can combine into a resilient attack path.
- Security teams should manage remote administration as delegated privileged access, with ownership, revocation, and provenance controls attached to it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI-03 maps to credential and access misuse in remote admin tooling. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0008 , Lateral Movement; TA0011 , Command and Control | The campaign uses phishing delivery, remote access, and C2 operations. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions and remote support governance are central to the article. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is essential when remote tools can execute commands and transfer files. |
| NIST Zero Trust (SP 800-207) | Section 3.4 | Zero trust assumptions are challenged when trusted remote tools are abused. |
Reassess trust for remote administration paths using continuous verification and explicit authorisation.
Key terms
- Remote Monitoring and Management: Remote Monitoring and Management, or RMM, is software used to administer devices and systems from afar. In this context it becomes a high-risk control plane because it can reach many assets at once and often carries enough privilege to change configuration, suppress alerts, or trigger operational actions.
- Malware As A Service: A subscription-based criminal model where attackers rent access to malware, infrastructure, and operator tooling instead of building everything themselves. It industrialises delivery and support, which makes abuse more repeatable and the associated identity and access paths harder to distinguish from legitimate services.
- Code Signing Certificate: A code signing certificate is a digital credential used to prove that software came from a trusted publisher and has not been altered. In identity terms, it is a non-human identity that authorizes release activity, and its value depends on lifecycle control, key custody, and revocation discipline.
- Delegated Access Channel: Any path that allows one party to operate on behalf of another, such as remote support software, third-party admin access, or hosted control portals. These channels need lifecycle ownership because they can outlive the original approval, contract, or business need.
What's in the full report
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Campaign artefacts and lure examples showing how the malware was distributed through email and hosted download links.
- C2 dashboard details, including subscription flow, device management, and operator controls.
- Indicator lists for TrustConnect, DocConnect, and related infrastructure that defenders can turn into detections.
- Timeline evidence showing how the infrastructure changed after disruption and revocation actions.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org