Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Fake RMM malware and abused remote access tools: what now?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 257
Topic starter  

TL;DR: A malware-as-a-service platform masquerading as a legitimate RMM tool, with a $300 monthly subscription, EV-signed installers, and campaigns that abused trusted remote access channels for delivery and follow-on payloads, was identified by Proofpoint. The real lesson is that trust branding, code signing, and familiar admin tooling can be weaponised into an access layer that outpaces conventional detection and review.

NHIMG editorial — based on content published by Proofpoint: TrustConnect, a fake RMM malware-as-a-service operation

By the numbers:

Questions worth separating out

Q: What breaks when attackers disguise malware as a legitimate remote support tool?

A: What breaks is the trust boundary around remote administration.

Q: Why do fake RMM tools create more risk than ordinary malware delivery?

A: Fake RMM tools matter because they are not just payloads, they are access channels.

Q: How should security teams evaluate signed remote administration software?

A: Security teams should evaluate signed remote administration software as a privileged trust decision, not a binary allow or block question.

Practitioner guidance

  • Inventory every remote administration path Map legitimate RMM tools, remote support portals, and helpdesk-admin workflows as delegated access channels.
  • Validate software provenance before allowing execution Require internal allowlisting, publisher validation, and domain reputation checks before users can run remote access installers or scripts that establish interactive control.
  • Separate signed software from trusted software Treat a valid signature as one signal, not a trust decision.

What's in the full report

Proofpoint's full article covers the operational detail this post intentionally leaves for the source:

  • Campaign artefacts and lure examples showing how the malware was distributed through email and hosted download links.
  • C2 dashboard details, including subscription flow, device management, and operator controls.
  • Indicator lists for TrustConnect, DocConnect, and related infrastructure that defenders can turn into detections.
  • Timeline evidence showing how the infrastructure changed after disruption and revocation actions.

👉 Read Proofpoint's analysis of the TrustConnect fake RMM malware operation →

Fake RMM malware and abused remote access tools: what now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Trusted remote administration is now a governance boundary, not just a tooling choice. When attackers package remote access as a legitimate-looking RMM, the real issue is that identity and access controls are being inherited from the software category rather than the operator. That creates a gap between what security teams think is approved remote support and what is actually attacker-controlled access. Practitioners should treat any remote administration pathway as a delegated identity channel with lifecycle controls, review points, and revocation expectations.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a remote access pathway gives an attacker broad internal reach?

A: Accountability usually sits across IAM, infrastructure, and application owners, but the control failure is often a governance issue rather than a single technical mistake. Teams should be able to show who approved the access model, who owns third-party access, and who is responsible for revocation.

👉 Read our full editorial: TrustConnect shows how fake RMM malware rides trusted access



   
ReplyQuote
Share: