{
	"id": "d3ca5e28-a8ee-4845-80fe-fc0f2b88368b",
	"created_at": "2026-04-06T00:16:10.204872Z",
	"updated_at": "2026-04-10T03:23:51.803851Z",
	"deleted_at": null,
	"sha1_hash": "08cb419832645964d3f218a73b7399cf322f1837",
	"title": "(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4644912,
	"plain_text": "(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US\r\nBy February 19, 2026 The Proofpoint Threat Research Team\r\nPublished: 2026-02-18 · Archived: 2026-04-05 18:01:18 UTC\r\nKey findings \r\nProofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and\r\nmanagement (RMM) tool. It calls itself TrustConnect.  \r\nThe “business page” – clearly created by automated tooling of some kind– is actually the login for the MaaS. As\r\nof this writing, access was advertised at $300 per month. \r\nBased on details of the malware creator, capabilities of the malware, and knowledge of the ecosystem, we assess\r\nwith moderate confidence the threat actor behind TrustConnect was also a prominent user of Redline stealer. \r\nProofpoint, in collaboration with intelligence partners, disrupted some of the malware’s infrastructure, causing an\r\nimpact to cybercrime activities. But the actor demonstrated resilience, with another fake RMM\r\nwebsite identified shortly before publication that advertised malware called DocConnect. \r\nOverview \r\nRMM tools continue to be many attackers’ top choice for initial access. Such enterprise remote support software\r\nlike SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime\r\nactors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools\r\nmentioned in this report are just that — legitimate. It’s the threat actors doing the abusing. We call out brand names\r\nstrictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.) \r\nBut at the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware\r\nmasquerading as an RMM called “TrustConnect Agent.” \r\nInitially, TrustConnect appeared to be another legitimate RMM tool being abused. Given the sheer number of existing\r\nremote administration tools available for threat actors to choose from, and their prevalence in the threat landscape,\r\nit could have made sense. But upon investigation, Proofpoint researchers identified evidence\r\nthat showed TrustConnect is actually new malware-as-a-service (MaaS) classified as a remote access trojan (RAT).  \r\nTrustConnect details \r\nMalware portal \r\nThe malware domain, trustconnectsoftware[.]com, was created on 12 January 2026. This site purports to be\r\nan RMM tool called TrustConnectAgent. The malware creator uses the domain as the “business website” designed to\r\nconvince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details\r\nlike customer statistics and software documentation. Proofpoint suspects the actor used an LLM to create the site. \r\nThis website is also the portal for criminals to sign up for the service and acts as the command and control (C2) for the\r\nmalware. Cybercriminals are instructed to sign up for a \"free trial\", instructed on how to pay in cryptocurrency, and then\r\nverify payment in the TrustConnect portal.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 1 of 23\n\nFigure 1. TrustConnect “business website”. \r\nThe website is also the front they used to purchase a legitimate Extended Validation (EV) certificate in the name of\r\n\"TrustConnect Software PTY LTD\", supposedly based in Alexandra, South Africa. The certificate was valid from\r\n27 January, and the actor used this EV certificate to sign the malware. Obtaining EV certificates costs thousands of\r\ndollars and requires additional levels of validation on behalf of the domain holder. Such certificates are supposed\r\nto demonstrate that the domain and related business is trustworthy. When used by threat actors, they can help criminals\r\nevade signature-based detections. Threat actors can pay malicious providers for EV certificates or attempt to create them\r\non their own.  \r\nIn collaboration with fellow researchers at The Cert Graveyard, Proofpoint was able to get the EV certificate revoked on\r\n6 February 2026, removing the trick the actor was using to bypass security tools and adding friction to their\r\noperations. However, the revocation of the certificate was not backdated, so the old signed files remained valid. This\r\naligns with the actor stopping new subscriptions, but current customers could still distribute the files via email\r\ncampaigns. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 2 of 23\n\nCampaign details \r\nThreat actors in the RMM ecosystem frequently rotate payloads, which allows a specific URL to lead to different\r\nmalware or abused RMMs throughout a campaign. Though likely that some low volume testing was done in previous\r\nweeks based on similar file sizes and file naming, threat actors were confirmed distributing TrustConnect on 27\r\nJanuary, correlating with the date the seller began digitally code signing the software. Proofpoint\r\nhas observed campaigns from multiple different threat actors distributing this malware.  \r\nFor example, beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event.\r\nMessages were sent from compromised senders and email body copy included both English and French.  \r\nFigure 2. Bid invite lure distributing TrustConnect RAT. \r\nFigure 3. French language lure distributing TrustConnect RAT. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 3 of 23\n\nMessages contained URLs leading to an executable file \"MsTeams.exe\". The MsTeams file Proofpoint retrieved on 30\r\nJanuary 2026 was signed with the original filename “MsTeams.dll” with the EV certification dated 29 January\r\nand belonging to “TrustConnect Software PTY LTD.”, meaning that the threat actor either used an unsigned executable\r\nor some other payload early in the campaign  The executable dropped a file called \"TrustConnectAgent.exe\" which\r\ncommunicated with the TrustConnect RAT C2 server, and likely led to the installation of additional payloads. \r\nFigure 4. Payload EV cert timeline. \r\nThreat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting\r\ninvitations, events, and government themes. The MaaS provides templates for many different kinds of brand abuse,\r\nwhich we will describe in the next section.  \r\nInterestingly, researchers also observed campaigns delivering multiple different RMMs alongside TrustConnect. One\r\ncampaign observed over a four-day period leveraged a single sender, with lures containing overlapping payload URLs, to\r\ndeliver multiple executables in late January 2026. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 4 of 23\n\nFigure 5. Due diligence themed lure delivering LogMeIn RMM. \r\nProofpoint observed the following variations of the campaign:  \r\n31 January and 01 February: messages contained URLs leading to an executable file which, if executed,\r\ninstalled ScreenConnect. \r\n03 February: observed messages contained URLs leading to an executable file which, if executed, installs\r\nLogMeIn Resolve. \r\n03 February: observed messages contained URLs leading to an executable file \"reference_letter_sign.exe\". This\r\ndropped a file called \"TrustConnectAgent.exe\" leading to the installation of TrustConnect RAT. \r\nAdditionally, Proofpoint has observed TrustConnect campaigns leading to the follow-on deployment of a\r\nlegitimate remote access tool, typically ScreenConnect. Proofpoint\r\nobserved TrustConnect deploying ScreenConnect from at least nine distinct on‑premises\r\n(self‑hosted) ScreenConnect servers over a 10‑day period. All were older versions signed with expired or revoked\r\ncertificates, suggesting the instances were illegitimately purchased previously or possibly pirated. Proofpoint\r\nalso observed deployment of Level RMM via an abused account as well as hands‑on-keyboard activity. This activity\r\noccurred within minutes of TrustConnect installation, reinforcing the assessment that it is used by multiple threat\r\nactors. (We reported it to Level, and the account was disabled by the vendor.) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 5 of 23\n\nThe use of legitimate remote enterprise tooling both alongside and as a follow-on malware suggest this RAT is very\r\nmuch embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely\r\nselling to the same customers abusing real RMM payloads and infrastructure in campaigns. \r\nMalware capabilities and C2 panel \r\nThe platform provides a web-based C2 dashboard, automated payload generation with digital signatures, and a\r\nsubscription-based access model which costs $300 per month paid via cryptocurrency. The centralized C2\r\nserver, trustconnectsoftware[.]com, manages multiple customers. \r\nFigure 6. TrustConnect public sign-in page with link to free sign up. \r\nAfter registering for a free account, which requires that the user enter their email, \"company name\", and create a\r\npassword, they are then prompted to verify their account with an one-time password (OTP) provided in an email that\r\nis sent via integration with Zoho transactional email service. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 6 of 23\n\nFigure 7. OTP code for account verification at sign-up. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 7 of 23\n\nFigure 8. OTP entry. \r\nOnce the email has been verified, the visitor is redirected to a subscription page, that despite previously stating that a free\r\ntrial was available, claims that the account is blocked and that payment is needed to continue using the service. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 8 of 23\n\nFigure 9. TrustConnect subscription dashboard. \r\nThe subscription dashboard states that the subscription costs U.S. $300/month, and that the payments can be made in the\r\ncryptocurrencies Bitcoin or USDT. It provides wallet addresses to pay in either of these currencies. After manual\r\npayment, the customer needs to paste the transaction hash (publicly available on the blockchain) and click a button to\r\nverify the transaction. The verification is performed automatically by the server, by verifying in the blockchain that the\r\ntransaction has occurred to the wallet, and that the transaction hasn’t been registered in the panel previously. This\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 9 of 23\n\nsuggests that the seller has a database of payments and who paid when. This, in combination with the requirement of an\r\nemail address, makes the payment not as anonymous as customers thought. \r\nEven though the server-side blockchain verification checks that the transaction has happened, it doesn’t check if the\r\ntransaction happened before the service opened for registration. \r\nFigure 10. Infected devices page (with mock devices). \r\nThe Device page of the C2 dashboard lets the attacker see the devices that have the RAT installed. It’s possible to execute\r\npre-defined commands or run custom commands directly on the device, transfer files to the device, view\r\nsystem information and connect to the device via a remote desktop function. It’s also possible to organize the devices\r\ninto different custom groups. This page as well as others have a scrolling text that states “Note: Download the EXE,\r\nthen upload to your own hosting/domain. Send your hosted link to targets for best results - avoids browser flagging.” \r\nThe C2 dashboard provides a real-time audit of connected devices, with a timeline feature that shows the relevant actions\r\ntaken by the MaaS, such as registration, deployment of the RAT, commands executed and so on.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 10 of 23\n\nFigure 11. TrustConnect audit dashboard. \r\nNotably, there doesn’t seem to be any functionality to disable or clear the audit log, making it hard for the attacker to\r\nerase evidence of malicious activity. \r\nFigure 12. RDP dashboard view. \r\nThe remote desktop management function includes features for full mouse and keyboard control, surveillance on the\r\ncompromised host, UAC bypass, ability to hide operator activity from the victim, screen recording, and the ability to\r\nswitch between victim displays. The screen is streamed via unauthenticated WebSocket. \r\nTrustConnect generates “branded” installers that bundle legitimate icons and metadata with payload delivery. The brands\r\nused are commonly observed across the ecrime threat landscape and are frequently seen used as lures in other\r\ncybercriminal RMM campaigns. Lures include:  \r\nCorporate: Zoom, Microsoft Teams, Adobe Reader, Google Meet. \r\nGovernment and Business: \"Proposal\", \"Special Events\", \"Social Security Administrative\" \r\nAs well as a generic installer just branded as “TrustConnect” likely designed to masquerade as a real RMM. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 11 of 23\n\nFigure 13. Advertised \"branded\" installers. \r\nEach one of the installers can be downloaded from the C2 via an URL without being signed in, allowing direct download\r\nof the malicious installers. The EXE files are named in line with the impersonated brand: \r\nZoomWorkspace.exe \r\nAdobeReader.exe \r\nMsTeams.exe \r\nProposal.exe \r\nGoogleMeet.exe \r\nSsa.exe \r\nSpecialEvents.exe \r\nInstaller.exe \r\nThe downloaded file is around 35 MB, containing metadata from the impersonated brand as well as pre-configured with\r\nthe attackers install token so it will join the corresponding “organization” in the C2 panel. The internal name of the file\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 12 of 23\n\nmatches the EXE but uses the file extension .dll. This is likely an artifact of the application being compiled as a\r\n.NET Core single-file executable, which inherits the name of the source DLL it was built from. Each EXE is signed, and\r\nsince each installer type contains the specific metadata of the impersonated brand, each customer will at minimum have\r\naccess to files with eight different hashes. In addition to this, it’s possible to generate a new install token in the panel,\r\nwhich would generate new hashes. \r\nExample EXE download URL: \r\n        \u003chxxps://trustconnectsoftware[.]com/downloads/brands/[organization_name]/MsTeams.exe\u003e  \r\nThe page also has instructions on how to run a one-liner PowerShell script to run a remote intermediate script that will\r\ninstall the RAT (possibly to be used in ClickFix attacks), as well as system requirements and deployment instructions. \r\nFigure 14. Quick deploy commands. \r\nFigure 15. Deployment guide and system requirements. \r\nCustomers also have access to a settings page, where they can enable two-factor authentication and set up Telegram bots\r\nto receive notifications when devices connect or disconnect, which means that the MaaS owner has stored\r\nample information about the customers, from email and organization name to cryptocurrency wallet and Telegram\r\ntokens. \r\nIn addition to the customer-accessible pages above, there is also a hidden “admin-approvals” page that the user will be\r\nredirected to if logged in as a “SuperAdmin.” \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 13 of 23\n\nFigure 16. JavaScript redirect for hidden “admin-approvals” page for SuperAdmin. \r\nThis page is an internal admin dashboard intended to be accessed by the MaaS owner or support.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 14 of 23\n\nFigure 17. Admin Dashboard (with mock data).\r\nIn addition to managing customers, like adding days to the subscription or deleting them, the administrator can also list\r\nall online devices that the RAT is installed on, independent of which customer installed it. Notably, at this page the\r\ncreator clearly labels these devices as “Victims”. \r\nThe platform links the operator's identity to the payload through a specific chain: \r\n1. Operator Email: [Registered email in clear text] (Login credential) \r\n2. Organization ID: [Internal UUID] \r\n3. Organization Name: [organization name] (User-defined display name on sign up) \r\n4. Download Path: .../brands/organization_name/... (Derived from Organization Name, used for EXE generation) \r\n5. Installer Token: [token] (Unique key embedded in the EXE/Script to map victims back to the Org ID, can be\r\nexpired and rotated by the customer in the panel) \r\nAdditional malware details \r\nThe malware communicates with the C2 on the same API as the web panel and doesn’t use any additional encryption\r\nother than standard SSL/TLS. Below are some examples of traffic: \r\nPOST /api/agents/register \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 15 of 23\n\nFigure 18. TrustConnect check-in. \r\nGET /api/agent-commands/ \r\nFigure 19. TrustConnect receiving PowerShell command to install ScreenConnect. \r\nThe following is a partial API endpoint map documenting methods and functions of the malware: \r\nCategory  Endpoint  Method  Function \r\nAuth   /api/auth/login   POST   JWT Authentication  \r\n/api/auth/verify-login   POST   2FA Verification  \r\nC2   /api/devices   GET   List victims  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 16 of 23\n\n/api/commands/run   POST   Execute shell command  \r\n/api/files/upload   POST   Upload file to victim  \r\nViewer   /ws/viewer   WS   Remote Desktop Stream  \r\n/api/screen/start   POST   Initialize session  \r\n/api/recordings/chunk/{id}   POST   Upload screen recording  \r\nMalware   /api/agents/register   POST   Agent registration  \r\n/api/installer/script   GET   Get PowerShell loader  \r\n/api/agents/heartbeat  POST  Agent Heartbeat \r\n/agent-update  GET  Agent Update \r\n/api/files/browse/pull  GET  Agent file browse \r\n/api/files/pull  GET  Agent file download \r\n/api/agent-commands/  GET  Agent command retrieval \r\n/ws/screen  GET  WebSocket Upgrade (RDP) \r\n/api/agent-commands/result  POST  Agent command result \r\nAdmin   /api/admin/devices/online   GET   Super-Admin Global victim list  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 17 of 23\n\n/api/admin/control-mode/check/{id}   GET  \r\nThe malware C2 was hosted on 178[.]128[.]69[.]245. Proofpoint initiated coordinated remediation of the service, which\r\nconcluded at ~00:00 UTC on 17 February 2026 and impacted the actor’s infrastructure. Supporting industry partners\r\nwish to stay anonymous.  \r\nShortly before publication of this report, Proofpoint analysts identified a pivot to parallel infrastructure and testing of a\r\nnew agent payload, called \"DocConnect\" or \"SHIELD OS v1.0\". Preliminary analysis reveals the new C2 panel is a\r\nReact Single Page Application (SPA) backed by Supabase. Despite the architectural shift, the platform shares the distinct\r\n\"vibe-coded\" style observed in the TrustConnect website. \r\nInitial analysis of the new agent shows the integration of SignalR instead of raw WebSockets, as well as giving users of\r\nthe reworked MaaS the ability to include custom PDF lures in the installer itself. The new default name the installer is\r\n\"DocConnect.Agent.exe\". \r\nAttribution \r\nThe malware panel includes a Telegram handle (@zacchyy09) for support and sales inquiries.  \r\nFigure 20. Support Telegram handle. \r\nIn addition, on 6 February 2026 (the same date the EV certificate was revoked), the open registration was closed and\r\nreplaced with instructions to contact the same Telegram handle to get access to the MaaS: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 18 of 23\n\nFigure 21. Sign up instruction on February 6.\r\nNotably, this handle was also mentioned as a VIP customer in Operation Magnus, a joint law enforcement effort led by\r\nthe Dutch National Police to disrupt Redline and META information stealers in October 2024. It is possible a different\r\nthreat actor is using the same handle. However, based on campaign artifacts, infrastructure, and malware delivery,\r\nProofpoint assesses with moderate confidence, the TrustConnect actor was also likely a Redline customer.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 19 of 23\n\nFigure 22. Screenshot of some VIP users from Operation Magnus disruption video. \r\nConclusion \r\nThe emergence of TrustConnect MaaS demonstrates a few major themes: \r\nDisruptions to MaaS operations like Redline, Lumma Stealer, and Rhadamanthys, have created new opportunities\r\nfor malware creators to fill gaps in the cybercrime market. While these disruptions are effective and impose cost\r\non adversaries, emerging malware shows threat actors will always be looking for new ways to compromise\r\nvictims.  \r\nThe RMM abuse ecosystem is thriving. Although TrustConnect only masqueraded as a legitimate RMM, the\r\nlures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery\r\nmethods that are frequently observed in RMM campaigns and used by multiple threat actors.  \r\nBased on website artifacts and functionality, both TrustConnect and DocConnect websites and agents are likely\r\ncoded with the assistance of AI Agents, but the new version is significantly more advanced. It shows how threat\r\nactors quickly can gain momentum by the help of AI, just like the rest of the society. \r\nProofpoint would like to thank our colleagues at ConnectWise ScreenConnect for collaborating on taking down abused\r\ninstances.  \r\nEmerging Threats rules \r\n2067351 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (trustconnectsoftware .com) \r\n2067352 - ET MALWARE Observed TrustConnect RAT Domain (trustconnectsoftware .com in TLS SNI) \r\n2067682 - ET MALWARE TrustConnect RAT CnC Activity (Files Browse) \r\n2067683 - ET MALWARE TrustConnect RAT CnC Activity (GET Agent Commands) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 20 of 23\n\n2067684 - ET MALWARE TrustConnect RAT CnC Activity (POST Command Results) \r\n2067685 - ET MALWARE TrustConnect RAT CnC Activity (Agent Heartbeat) \r\n2067686 - ET MALWARE TrustConnect RAT CnC Activity (Heartbeat Response) \r\n2067687 - ET MALWARE TrustConnect RAT CnC Activity (WebSocket Upgrade Request) \r\n2067688 - ET MALWARE TrustConnect RAT CnC Activity (Agent Register) \r\n2067689 - ET MALWARE TrustConnect RAT CnC Activity (Agent Update) \r\n2067690 - ET MALWARE TrustConnect RAT CnC Activity (Files Pull) \r\n2067801 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (networkservice .cyou) \r\n2067802 - ET MALWARE Observed TrustConnect RAT Domain (networkservice .cyou in TLS SNI) \r\n2067803 - ET MALWARE TrustConnect RAT CnC Activity (Agent Registration) \r\n2067804 - ET MALWARE TrustConnect RAT CnC Activity (Failed Registration) \r\n2067805 - ET MALWARE TrustConnect RAT CnC Activity (Files Pending) \r\n2067806 - ET MALWARE TrustConnect RAT CnC Activity (GET Commands) \r\nExample indicators of compromise \r\nIndicator   Description \r\nFirst\r\nSeen \r\ntrustconnectsoftware[.]com  C2 Domain \r\n12\r\nJanuary\r\n2026 \r\n178[.]128[.]69[.]245  C2 IP \r\n12\r\nJanuary\r\n2026 \r\nadobe[.]caladzy[.]com \r\nPayload Staging\r\nDomain \r\n31\r\nJanuary\r\n2026 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 21 of 23\n\nametax[.]net \r\nPayload Staging\r\nDomain \r\n31\r\nJanuary\r\n2026 \r\nworldwide-www19[.]pages[.]dev \r\nPayload Staging\r\nDomain \r\n31\r\nJanuary\r\n2026 \r\nvurul[.]click \r\nPayload Staging\r\nDomain \r\n31\r\nJanuary\r\n2026 \r\ncee6895f7df01da489c10bf5b83770ceede79ed4e1c8c4f8ea9787a4d035c79b \r\nTrustConnectAgent.exe \r\nSHA256 \r\n2\r\nFebruary\r\n2026 \r\nstatementstview[.]online \r\nPayload Staging\r\nDomain \r\n10\r\nFebruary\r\n2026 \r\nelev8souvenirs[.]com \r\nPayload Staging\r\nDomain \r\n26\r\nJanuary \r\ncf85a4816715b8fa6c1eb5b50d1c70cfef116522742f6f1c77cb8689166b9f40 \r\nMsTeams.exe \r\nSHA256 \r\n26\r\nJanuary \r\n162c0d3e671ddf4f7f3ae5681da5272111eab6588bc53843cc604fc386634594 \r\nDocConnect Testing\r\nPayload \r\n17\r\nFebruary\r\n2026 \r\nnetworkservice[.]cyou  DocConnect C2 \r\n17\r\nFebruary\r\n2026 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 22 of 23\n\nhxxps[://]memphiswawu[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?\r\ne=Access\u0026y=Guest \r\nScreenConnect Payload\r\nURL \r\n10\r\nFebruary\r\n2026 \r\nhxxps[://]aerobickarlaurbanovas[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?\r\ne=Access\u0026y=Guest= \r\nScreenConnect Payload\r\nURL \r\n10\r\nFebruary\r\n2026 \r\nhxxps[://]stewise[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?\r\ne=Access\u0026y=Guest \r\nScreenConnect Payload\r\nURL \r\n10\r\nFebruary\r\n2026 \r\nhxxps[://]smallmartdirectintense[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?\r\ne=Access\u0026y=Guest= \r\nScreenConnect Payload\r\nURL \r\n10\r\nFebruary\r\n2026 \r\nhxxp[://]192[.]159[.]99[.]83/Bin/ScreenConnect[.]ClientSetup[.]msi?\r\ne=Access\u0026y=Guest \r\nScreenConnect Payload\r\nURL \r\n10\r\nFebruary\r\n2026 \r\nhxxp[://]192[.]227[.]211[.]41:8040/Bin/ScreenConnect[.]ClientSetup[.]msi?\r\ne=Access\u0026y=Guest \r\nScreenConnect Payload\r\nURL \r\n10\r\nFebruary\r\n2026 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat"
	],
	"report_names": [
		"dont-trustconnect-its-a-rat"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434570,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08cb419832645964d3f218a73b7399cf322f1837.pdf",
		"text": "https://archive.orkl.eu/08cb419832645964d3f218a73b7399cf322f1837.txt",
		"img": "https://archive.orkl.eu/08cb419832645964d3f218a73b7399cf322f1837.jpg"
	}
}