Attackers use a dual-purpose website: The TrustConnect website has realistic marketing language, feature descriptions, and documentation that serves both as a public-facing front to promote the software and as a backend portal for customers who purchase access to the tool’s malicious services.”Cybercriminals are instructed to sign up for a ‘free trial,’ instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal,” the researchers said, adding that the customers are charged $300 per month for a web-based C2 dashboard with a list of devices that have the RAT installed. A subscription allows executing commands, transferring files and connecting remotely to the infected devices.Additionally, the subscribers get a downloadable EXE file recommended to upload on their own hosting for controlled targeting and better results.The trustconnectsoftware[.]com domain was created on Jan. 12, 2026.”The malware creator (also) uses the domain as the ‘business website’ designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation,” Proofpoint researchers wrote.Proofpoint suspects the actor used large language models (LLMs) to create TrustConnect. It shared a list of indicator URLs to support detection efforts, warning that TrustConnect has potential to become a full-blown campaign, now with a more advanced variant, DocConnect.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4135307/dont-trust-trustconnect-this-fake-remote-support-tool-only-helps-hackers.html
