(Don't) TrustConnect: It's a RAT in an RMM hat
Proofpoint, Thursday, February 19th, 2026
RMM tools continue to be many attackers' top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access.
Key findings
- Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect.
- The 'business page' - clearly created by automated tooling of some kind- is actually the login for the MaaS. As of this writing, access was advertised at $300 per month.
- Based on details of the malware creator, capabilities of the malware, and knowledge of the ecosystem, we assess with moderate confidence the threat actor behind TrustConnect was also a prominent user of Redline stealer.
- Proofpoint, in collaboration with intelligence partners, disrupted some of the malware's infrastructure, causing an impact to cybercrime activities. But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.
At the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware masquerading as an RMM called 'TrustConnect Agent.'