A new malware‑as‑a‑service platform is masquerading as a legitimate remote‑monitoring and management (RMM) solution, and it’s already catching IT teams off guard. The service, called TrustConnect, offers a fully signed Remote Access Trojan for about $300 a month, turning a routine remote‑support tool into a subscription‑based attack vector for organizations that rely on remote access.
How TrustConnect Turns RMM Into a RAT Service
TrustConnect pretends to be a SaaS RMM product: a clean dashboard, a “sign‑up” button and a glossy website. When you click the button, a silent installer drops onto the endpoint. Because the installer is EV‑signed, Windows accepts it without raising alarms, and the machine instantly registers to a control panel that the attackers operate.
Signed Installer Bypasses Defenses
The EV signature lets the payload slip past many endpoint solutions. Once installed, the RAT gains full keyboard, screen and file‑system access. From that foothold, threat actors can push additional malware, exfiltrate credentials, or lay the groundwork for a ransomware strike.
Why the Subscription Model Raises the Stakes
Charging a monthly fee creates a scalable business for cybercriminals. A single subscription can grant access to dozens of clients, and the recurring revenue model encourages attackers to keep the service running and updated. The low price point—roughly $300 per month—makes it easy for small‑to‑mid‑size businesses to justify the expense, even if they think they’re buying a legitimate remote‑support tool.
What You Can Do to Protect Your Environment
Defending against TrustConnect starts with a hardened procurement process and continuous monitoring. Here are practical steps you can take right now:
- Verify code signatures: don’t trust a signed binary alone; cross‑check the publisher’s certificate against known‑good vendors.
- Sandbox new installers: run any remote‑support installer in an isolated environment before deployment.
- Watch network traffic: look for outbound connections to unknown RMM‑style domains or unusual remote‑control ports.
- Enforce a trusted‑list policy: limit which executables can run with elevated privileges on endpoints.
- Educate staff: remind users that a polished website isn’t proof of legitimacy—always confirm with your IT procurement team.
By tightening these controls, you’ll shrink the window attackers have to establish a foothold. If you spot an unexpected signed installer or see traffic heading to unfamiliar RMM domains, treat it as a high‑priority alert and investigate immediately.
