Full Report
A fake remote monitoring tool, supported by a subscription service and a website used to promote it, is used to manage compromised systems.
Analysis Summary
# Tool/Technique: TrustConnect (and DocConnect variant)
## Overview
TrustConnect is a malicious Remote Monitoring and Management (RMM) tool marketed as legitimate software, supported by a subscription service and a deceptive website. Its primary purpose is to function as a Remote Access Trojan (RAT) to manage compromised systems controlled by threat actors subscribing to its service. A more advanced variant, DocConnect, has also been observed.
## Technical Details
- Type: Malware family (Remote Access Trojan/RMM disguised)
- Platform: Windows (Inferred from context of EXE download and RMM functionality, though specific OS is not explicitly named for the malware payload, the context implies typical endpoint targeting)
- Capabilities: Remote command execution, file transfer, remote connection to infected devices, management via a web-based Command and Control (C2) dashboard.
- First Seen: The associated domain `trustconnectsoftware[.]com` was created on January 12, 2026 (Note: This date appears chronologically inconsistent with the article's context and may be a typo in the source material, referring to 2024 or earlier based on typical reporting timelines).
## MITRE ATT&CK Mapping
Since the tool functions as a RAT delivered covertly, the mapping focuses on initial access, execution, and command and control aspects implied by its structure.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by lure leading to download)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication via the web-based dashboard)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File (Victims executing the downloaded file)
- **TA0010 - Exfiltration** (Implied by file transfer capability)
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **RMM Impersonation:** Marketed with realistic documentation and features to obscure its malicious nature.
- **Infection Registration:** Automatically registers infected systems onto the operator’s (attacker's) proprietary C2 web panel upon execution.
- **Subscription Model:** Operated via a subscription service ($300/month) granting access to the backend C2 dashboard.
### Advanced Features
- **Web-Based C2 Dashboard:** Provides a centralized portal for managing compromised devices.
- **Remote Operations:** Allows subscribers to execute commands, transfer files, and establish remote connections to victims.
- **Distributability:** Subscribers are given a downloadable EXE file to upload to their own hosting for targeted deployment.
- **LLM Generation Suspected:** Proofpoint suspects the malware creator utilized Large Language Models (LLMs) in development.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: TrustConnect installer (or lure), potentially ScreenConnect, LogMeln Resolve (used as comparison lures).
- Registry Keys: [Not provided in the text]
- Network Indicators: `trustconnectsoftware[.]com` (Defanged: trustconnectsoftware[.]com)
- Behavioral Indicators: Automatically registering a device via a web form upon local execution of the downloaded file.
## Associated Threat Actors
- The specific threat actor is not named, but they operate the TrustConnect Malware-as-a-Service (MaaS) platform.
## Detection Methods
- Signature-based detection: Requires signatures for the specific TrustConnect/DocConnect binaries.
- Behavioral detection: Monitoring for unusual registration activity following the execution of seemingly legitimate software installers, or outbound communication to the campaign's domain.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **Vigilance against Lures:** Be highly suspicious of unsolicited installation requests, even if they appear to be for legitimate RMM/support tools (ScreenConnect, LogMeln Resolve).
- **Subscription Verification:** Organizations should not subscribe to or validate access for remotely managed tools that require payment in cryptocurrency via an online portal.
- **Network Filtering:** Block access to the C2 domain: `trustconnectsoftware[.]com`.
## Related Tools/Techniques
- Remote Access Trojans (RATs)
- Ransomware/Extortion operations utilizing RMM delivery chains.
- Other RMM/Remote Support Tools used as social engineering lures (ScreenConnect, LogMeln Resolve).
- DocConnect (Advanced variant).