Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Mesh Agent

Mesh Agent is a remote access and remote management tool observed being deployed by threat actors as a post-exploitation payload. In the provided reporting, it appeared in at least two contexts: as a final payload in a large-scale malware campaign identified by McAfee in January 2026, and in multiple April 2025 intrusion cases analyzed by Huntress involving exploitation of CVE-2025-31161 in CrushFTP and CVE-2025-30406 in Gladinet CentreStack/Triofox. In the McAfee-tracked campaign, victims were infected through trojanized ZIP archives masquerading as legitimate software such as AI tools, game hacks, VPNs, drivers, decryptors, and infostealer tools. The infection chain used DLL side-loading via WinUpdateHelper.dll, browser redirection to a fake dependency download, persistence through a Windows service named Microsoft Console Host, and in-memory PowerShell execution; in some cases that PowerShell payload delivered Mesh Agent alongside other payloads such as SalatStealer and cryptocurrency miners. In the Huntress cases, attackers deployed Mesh Agent via PowerShell commands after exploiting internet-facing software vulnerabilities. Several CrushFTP incidents involved Mesh Agent being installed from C:\Windows\Temp and configured to connect to hxxps://rtb[.]mftadsrvr[.]com:2087; related reporting also states it was configured to connect to rtb[.]mftadsrvr[.]com. The same activity cluster also involved IP address 2.58.56[.]16, downloads from 196.251.85[.]31 in some cases, and associated delivery of a malicious d3d11.dll and a renamed executable, Centre.exe, detected as Cobalt Strike. High-confidence indicators directly mentioned in the content include rtb[.]mftadsrvr[.]com, hxxps://rtb[.]mftadsrvr[.]com:2087, installation from C:\Windows\Temp, and association with exploitation of CrushFTP and Gladinet CentreStack/Triofox vulnerabilities.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques
T1133External Remote ServicesEvidence1

“Key tools include remote management software like SimpleHelp and AnyDesk, as well as Mesh Agent for remote access.”

T1566PhishingEvidence1

Microsoft Defender Experts identified multiple phishing campaigns... The campaigns used workplace meeting lures, PDF attachments... Phishing emails directed users to download malicious executables masquerading as legitimate software.

T1566.001Spearphishing AttachmentEvidence2

In one observed campaign, victims received the following email which included a fake PDF attachment... A red button labeled “Open in Adobe” encouraged the user to click... when clicked... redirects users to a spoofed webpage crafted to closely mimic Adobe’s official download center.

T1566.002Spearphishing LinkEvidence1

These messages contained embedded phishing links that led users to download software impersonating trusted applications. The fraudulent sites displayed “out of date” or “update required” prompts designed to induce rapid user action.

Execution

2 techniques
T1059.001PowerShellEvidence2

Following the installation phase, the masqueraded workplace executables (TrustConnect RMM) initiated encoded PowerShell commands designed to download additional payloads from the attacker-controlled infrastructure.

T1574.011Services Registry Permissions WeaknessEvidence1

It was found to have a common service modified to run an executable under the Default user’s appdata\local\temp folder. The executable utilizes an expired Webroot signature. C:\Users\Default\AppData\Local\Temp\service.exe

Persistence

1 technique
T1133External Remote ServicesEvidence1

“Key tools include remote management software like SimpleHelp and AnyDesk, as well as Mesh Agent for remote access.”

Stealth

2 techniques
T1036MasqueradingEvidence2

The lures directed users to download malicious executables masquerading as legitimate software, including msteams.exe, trustconnectagent.exe, adobereader.exe, zoomworkspace.clientsetup.exe, and invite.exe.

T1574.011Services Registry Permissions WeaknessEvidence1

It was found to have a common service modified to run an executable under the Default user’s appdata\local\temp folder. The executable utilizes an expired Webroot signature. C:\Users\Default\AppData\Local\Temp\service.exe

Lateral Movement

1 technique
T1021Remote ServicesEvidence2

“attacker could remotely control the system, move laterally across the network, harvest sensitive data, and push additional payloads” | “silently deployed remote monitoring and management (RMM) tools, specifically ScreenConnect, Tactical RMM, and Mesh Agent, giving the attacker persistent and stealthy control”

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

At this stage, the service established an outbound network connection to the attacker-controlled Command and Control (C2) domain: trustconnectsoftware[.]com

T1105Ingress Tool TransferEvidence1

These PowerShell commands retrieved the ScreenConnect client installer files (.msi) and staged them within the systems’ temporary directory paths in preparation for secondary deployment.

T1219Remote Access ToolsEvidence2

The executable was a golang binary used as a loader for a Mesh Agent executable, a common remote access tool, within the same directory titled web.exe.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cyber security newsNews
Mar 19, 2026
‘Vibe-Coded’ Malware Campaign Uses Fake Tools, CDNs and File Hosts to Infect Users

A remote access tool delivered as a final payload in some infections of the campaign, likely to provide remote control of compromised systems.

Read more
cyber security newsNews
Dec 12, 2025
Top 20 Most Exploited Vulnerabilities of 2025: A Comprehensive Analysis

Mesh Agent is a remote access tool/backdoor deployed by attackers to gain persistent access and control over compromised systems, often used for lateral movement and further exploitation.

Read more
huntress blogNews
May 6, 2025
Do Tigers Really Change Their Stripes?

Mesh Agent is a remote monitoring and management (RMM) tool that was installed by threat actors post-exploitation to maintain persistent remote access to compromised endpoints.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.