Crims create fake remote management vendor that actually sells a RAT
The Register
February 19, 2026
AI-Generated Deep Dive Summary
Cybercriminals have created a fake remote management vendor called TrustConnect, which masquerades as legitimate enterprise software for $300 a month. In reality, it is a remote access trojan (RAT) sold as a service, referred to as RATaaS. The criminals behind this operation went to great lengths to make their product appear legitimate by creating a fake business website and obtaining a legitimate Extended Validation (EV) code-signing certificate. This allowed the malware to bypass security controls and gain credibility. Initially, even Proofpoint’s threat hunters were fooled into thinking TrustConnect was another legitimate RMM tool being abused.
The rise of remote monitoring and management (RMM) tools as preferred attack vectors has made them a top target for cybercriminals. These tools provide direct access to victim machines, enabling the deployment of ransomware, info-stealers, and other malicious activities. The TrustConnect malware provides full mouse and keyboard control, screen recording/streaming capabilities, file transfer, command execution, and user account control bypass. This level of functionality makes it a powerful tool for attackers seeking long-term access to infected systems.
The domain trustconnectsoftware[.]com was created on January 12 and likely designed using AI. The website includes fake customer statistics and software documentation to appear legitimate, with purchases made via cryptocurrency. The domain also served as a command-and-control (C2) center for the malware. By obtaining an EV certificate, the criminals furthered their goal of appearing trustworthy. However, this certificate was revoked on February 6, though any files signed before that remain valid.
Proofpoint disrupted the malware’s C2 infrastructure on February
Verticals
tech
Originally published on The Register on 2/19/2026