TrustConnect

TrustConnect is a malware-as-a-service (MaaS) remote access trojan (RAT) masquerading as a legitimate remote monitoring and management (RMM) tool (“TrustConnect Agent”). It was marketed via an LLM-created fake vendor website/portal on trustconnectsoftware[.]com (claiming to be “TrustConnect Software PTY LTD”), which also functioned as the criminal signup portal and the malware’s command-and-control (C2) infrastructure. The service was advertised at $300/month, with customers instructed to pay in cryptocurrency and verify payment via transaction hash; signup included OTP verification via Zoho transactional email integration.

Distribution was observed via phishing email campaigns using common business lures (e.g., taxes, DocuSign/document shares, meeting invitations, event invites, bid proposals, and government-themed content), including English and French messages sent from compromised senders. Phishing links delivered bogus executables (e.g., “MsTeams.exe” and other branded installers mimicking Zoom, Microsoft Teams, Adobe Reader, Google Meet, and document-style filenames like “Proposal,” “Special Events,” “Social Security Administrative”) that installed/dropped TrustConnectAgent.exe, which then communicated with the TrustConnect C2.

Capabilities described include a web-based multi-tenant C2/dashboard with automated payload generation and centralized management, command execution, file transfer, system information viewing, and remote desktop control. The remote desktop feature supported full mouse/keyboard control, screen recording/streaming, multi-display switching, UAC bypass, and hiding operator activity; streaming was reported to use an unauthenticated WebSocket. TrustConnect malware traffic used standard SSL/TLS without additional encryption and communicated with the same API as the web panel.

Operationally, Proofpoint observed hands-on-keyboard activity within minutes of installation and assessed TrustConnect was used by multiple threat actors. Infections were frequently followed by deployment of legitimate remote access tools (notably ScreenConnect; also LogMeIn Resolve and Level RMM were observed). ScreenConnect deployments were seen from at least nine distinct self-hosted servers over a 10-day period, using older versions signed with expired/revoked certificates.

The operator obtained an Extended Validation (EV) code-signing certificate in the name of “TrustConnect Software PTY LTD” (purportedly Alexandra, South Africa) and used it to sign TrustConnect binaries to reduce detection; the certificate was revoked on 6 Feb 2026 (revocation not backdated, so previously signed files remained valid). Proofpoint coordinated disruption of TrustConnect infrastructure around 17 Feb 2026, after which the operator pivoted to parallel infrastructure and a rebranded successor platform/payload called DocConnect (also referenced as “SHIELD OS v1.0”), with C2 noted as networkservice[.]cyou. Proofpoint assessed with moderate confidence that the TrustConnect actor was also a prominent RedLine Stealer user/customer.

High-confidence indicators mentioned: trustconnectsoftware[.]com (TrustConnect C2/portal), 178[.]128[.]69[.]245 (TrustConnect C2 IP), networkservice[.]cyou (DocConnect C2 domain), and Telegram handle @zacchyy09 (listed for support/sales in the panel).