Signed Malware Mimicking Workplace Apps Deploys RMM Backdoors

In early 2026, a sophisticated phishing campaign surfaced that leveraged digitally signed malware to masquerade as trusted workplace applications. Threat actors distributed malicious executables that appeared to be legitimate software such as Microsoft Teams, Adobe Reader, and Zoom. The malicious binaries were signed with an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD, giving them an air of authenticity and enabling them to bypass many security controls that rely on certificate validation.

The attack began with deceptive emails that contained either fake PDF attachments or links that pretended to be meeting invitations, invoices, or project proposals. Once a user clicked the link or opened the attachment, the malicious executable was downloaded and executed. The payload then installed a suite of remote monitoring and management (RMM) tools—ScreenConnect, Tactical RMM, and Mesh Agent—providing the adversary with persistence, lateral movement, and command‑and‑control (C2) capabilities.

Attack Chain Overview

  1. Initial Delivery: Phishing emails with convincing subject lines and attachments. The attachment, when opened, triggers a download of an EV‑signed executable.

  2. Execution: The downloaded executable runs from the user’s Downloads folder, copies itself to C:\Program Files\Adobe Acrobat Reader\AdobeReader.exe, and registers a Windows service.

  3. Persistence: A Run key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) named TrustConnectAgent points to the copied executable, ensuring it starts on boot.

  4. C2 Connection: The service opens an outbound connection to trustconnectsoftware.com, establishing a foothold for further malicious activity.

  5. Payload Deployment: Encoded PowerShell commands download ScreenConnect MSI installers, which are executed via msiexec.exe. Once installed, the client creates additional registry entries under HKLM\SYSTEM\ControlSet001\Services\ScreenConnect Client to maintain persistence.

  6. Redundancy: The adversary also deploys Tactical RMM and Mesh Agent, ensuring multiple backdoor channels remain active even if one is detected or removed.

Indicators of Compromise

  • Executables signed by TrustConnect Software PTY LTD (EV certificate)
  • File hashes: ef7702ac5f574b2c046df6d5ab3e603a, 4c6251e1db72bdd0… (list continues)
  • Registry keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustConnectAgent
  • Service: ScreenConnect Client with unique hexadecimal client ID
  • Outbound connections to trustconnectsoftware.com
  • Suspicious PowerShell commands containing Invoke‑WebRequest, Start‑Process, and .msi

Mitigation & Protection Guidance

  • Deploy Windows Defender Application Control (WDAC) or AppLocker to block unapproved RMM tools. Specify publisher rules to reject the TrustConnect certificate.
  • Enable Microsoft Defender for Endpoint’s block certificate action for the EV certificate issued to TrustConnect Software PTY LTD.
  • Restrict software installation to approved IT management tools and enforce MFA for privileged accounts.
  • Activate cloud‑delivered protection and Safe Links/Safe Attachments in Microsoft Defender for Office 365.
  • Configure Zero‑hour Auto Purge (ZAP) to quarantine malicious emails retroactively.
  • Implement attack surface reduction rules to block PsExec, WMI, and arbitrary process creation.
  • Regularly audit installed services and registry Run keys for unknown entries.

Hunting Queries (Microsoft Defender XDR)

  • Detect TrustConnect signed files:
    DeviceFileCertificateInfo | where Issuer == "TrustConnect Software PTY LTD" or Signer == "TrustConnect Software PTY LTD" | join kind=inner (DeviceFileEvents | project SHA1, FileName, FolderPath, DeviceName, TimeGenerated) on SHA1 | project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, Issuer, Signer
  • Find masqueraded workplace applications by hash:
    DeviceFileEvents | where SHA256 has_any (File_Hashes_SHA256)
  • Locate malicious network connections:
    DeviceNetworkEvents | where RemoteUrl has "trustconnectsoftware.com"
  • Spot encoded PowerShell deployments of ScreenConnect:
    DeviceProcessEvents | where InitiatingProcessCommandLine has_all ("Invoke-WebRequest","-OutFile","Start-Process","ScreenConnect",".msi") | project Timestamp, DeviceId, DeviceName, InitiatingProcessCommandLine

Conclusion

This campaign demonstrates how attackers can exploit familiar branding and trusted digital signatures to bypass user vigilance and security controls. By embedding RMM tools within signed malware, they achieve persistence, lateral movement, and resilient command‑and‑control. Security teams must adopt a layered approach—enforcing application whitelisting, monitoring for anomalous services and registry changes, and leveraging advanced threat detection—to defend against this evolving threat vector.

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading