{
	"id": "64609d6e-7e0f-4e90-9c3a-a9ae189418a0",
	"created_at": "2026-04-06T00:13:29.444311Z",
	"updated_at": "2026-04-10T03:20:29.807652Z",
	"deleted_at": null,
	"sha1_hash": "35121aadb9c856803425be7d1e09de3c5c3351a2",
	"title": "Signed malware impersonating workplace apps deploys RMM backdoors | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2421341,
	"plain_text": "Signed malware impersonating workplace apps deploys RMM backdoors\r\n| Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2026-03-03 · Archived: 2026-04-05 20:15:05 UTC\r\nIn February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor.\r\nThe campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware.\r\nPhishing emails directed users to download malicious executables masquerading as legitimate software. The files were\r\ndigitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed,\r\nthe applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent\r\naccess on compromised systems.\r\nThese campaigns demonstrate how familiar branding and trusted digital signatures can be abused to bypass user suspicion\r\nand gain an initial foothold in enterprise environments.\r\nAttack chain overview\r\nBased on Defender telemetry, Microsoft Defender Experts conducted forensic analysis that identified a campaign centered\r\non deceptive phishing emails delivering counterfeit PDF attachments or links impersonating meeting invitations, financial\r\ndocuments, invoices, and organizational notifications.\r\nThe lures directed users to download malicious executables masquerading as legitimate software, including msteams.exe ,\r\ntrustconnectagent.exe , adobereader.exe , zoomworkspace.clientsetup.exe , and invite.exe . These files were\r\ndigitally signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD.\r\nOnce executed, the applications deployed remote monitoring and management tools such as ScreenConnect, Tactical RMM,\r\nand Mesh Agent. These tools enabled the attacker to establish persistence and move laterally within the compromised\r\nenvironment.\r\nCampaign delivering PDF attachments\r\nIn one observed campaign, victims received the following email which included a fake PDF attachment that when opened\r\nshows the user a blurred static image designed to resemble a restricted document.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 1 of 9\n\nEmail containing PDF attachment .\r\nA red button labeled “Open in Adobe” encouraged the user to click to continue to access the file. However, when clicked\r\ninstead of displaying the document, the button redirects users to a spoofed webpage crafted to closely mimic Adobe’s\r\nofficial download center.\r\nContent inside the counterfeit PDF attachment.\r\nThe screenshot shows that the user’s Adobe Acrobat is out of date and automatically begins downloading what appears to be\r\na legitimate update masquerading as AdobeReader but it is an RMM software package digitally signed by TrustConnect\r\nSoftware PTY LTD.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 2 of 9\n\nDownload page masquerading Adobe Acrobat Reader.\r\nCampaign delivering meeting invitations\r\nIn another observed campaign, the threat actor was observed distributing highly convincing Teams and Zoom phishing\r\nemails that mimic legitimate meeting requests, project bids, and financial communications.\r\nPhishing email tricking users to download Fake Microsoft Teams transcript.\r\nPhishing email tricking users to download a package.\r\nThese messages contained embedded phishing links that led users to download software impersonating trusted applications.\r\nThe fraudulent sites displayed “out of date” or “update required” prompts designed to induce rapid user action. The resulting\r\ndownloads masqueraded as Teams, Zoom, or Google Meet installer were in fact remote monitoring and management\r\n(RMM) software once again digitally signed by TrustConnect Software PTY LTD.\r\nDownload page masquerading Microsoft Teams software .\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 3 of 9\n\nDownload page masquerading Zoom .\r\nScreenConnect RMM backdoor installation\r\nOnce the masqueraded Workspace application (digitally signed by TrustConnect) was executed from the Downloads\r\ndirectory, it created a secondary copy of itself under C:\\Program Files. This behavior was intended to reinforce its\r\nappearance as a legitimate, system-installed application. The program then registered the copied executable as a Windows\r\nservice, enabling persistent and stealthy execution during system startup.\r\nAs part of its persistence mechanism, the service also created a Run key located at:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: TrustConnectAgent\r\nThis Run key was configured to automatically launch the disguised executable:       C:\\Program Files\\Adobe Acrobat\r\nReader\\AdobeReader.exe\r\nAt this stage, the service established an outbound network connection to the attacker-controlled Command and Control (C2)\r\ndomain: trustconnectsoftware[.]com\r\nImage displaying executable installed as a service.\r\nFollowing the installation phase, the masqueraded workplace executables (TrustConnect RMM) initiated encoded\r\nPowerShell commands designed to download additional payloads from the attacker-controlled infrastructure.\r\nThese PowerShell commands retrieved the ScreenConnect client installer files (.msi) and staged them within the systems’\r\ntemporary directory paths in preparation for secondary deployment. Subsequently, the Windows msiexec.exe utility was\r\ninvoked to execute the staged installer files. This process results in the full installation of the ScreenConnect application and\r\nthe creation of multiple registry entries to ensure ongoing persistence.\r\nSample commands seen across multiple devices in this campaign.\r\nIn this case, the activity possibly involved the on-premises version of ScreenConnect delivered through an MSI package that\r\nwas not digitally signed by ConnectWise. On-premises version of ScreenConnect MSI installers are unsigned by default. As\r\nsuch, encountering an unsigned installer in a malicious activity often suggests it’s a potentially obtained through\r\nunauthorized means.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 4 of 9\n\nReview of the ScreenConnect binaries dropped during execution of ScreenConnect installer files showed that the associated\r\nexecutable files were signed with certificates that had already been revoked. This pattern—unsigned installer followed by\r\nexecutables bearing invalidated signatures—has been consistently observed in similar intrusions.\r\nAnalysis of the registry artifacts indicated that the installed backdoor created and maintained multiple ScreenConnect Client\r\nrelated registry values across several Windows registry locations, embedding itself deeply within the operating system.\r\nPersistence through Windows services was reinforced by entries placed under:\r\nHKLM\\SYSTEM\\ControlSet001\\Services\\ScreenConnect Client [16digit unique hexadecimal client identifier]\r\nWithin the service key, command strings instructed the client on how to reconnect to the remote operator’s infrastructure.\r\nThese embedded parameters included encoded identifiers, callback tokens, and connection metadata, all of which enable\r\nseamless reestablishment of remote access following system restarts or service interruptions.\r\nAdditional registry entries observed during analysis further validate this persistence strategy. The configuration strings\r\nreference the executable ScreenConnect.ClientService.exe, located in:\r\nC:\\Program Files (x86)\\ScreenConnect Client [Client ID]\r\nThese entries contained extensive encoded payloads detailing server addresses, session identifiers, and authentication\r\nparameters. Such configuration depth ensures that the ScreenConnect backdoor maintained:\r\nReliable persistence\r\nOperational stealth\r\nContinuous C2 availability\r\nThe combination of service-based autoruns, encoded reconnection parameters, and deep integration into critical system\r\nservice keys demonstrates a deliberate design optimized for long term, covert remote access. These characteristics are\r\nconsistent with a repurposed ScreenConnect backdoor, rather than a benign or legitimate Remote Monitoring and\r\nManagement (RMM) deployment.\r\nRegistry entries observed during the installation of ScreenConnect backdoor.\r\nAdditional RMM installation\r\nDuring analysis we identified that the threat actor did not rely solely on the malicious ScreenConnect backdoor to maintain\r\naccess. In parallel, the actor deployed additional remote monitoring and management (RMM) tools to strengthen foothold\r\nredundancy and expand control across the environment. The masqueraded Workplace executables associated with the\r\nTrustConnect RMM initiated a series of encoded PowerShell commands. This technique, which was also used to deploy\r\nScreenConnect, enabled the download and installation of Tactical RMM from the attacker-controlled infrastructure. As part\r\nof this secondary installation, the Tactical RMM deployment subsequently installed MeshAgent, providing yet another\r\nremote access channel for persistence.\r\nThe use of multiple RMM frameworks within a single intrusion demonstrates a deliberate strategy to ensure continuous\r\naccess, diversify C2 capabilities, and maintain operational resilience even if one access mechanism is detected or removed.\r\nImage displaying deployment of Tactical RMM \u0026 MeshAgent backdoor .\r\nMitigation and protection guidance\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for\r\nthe deployment status of monitored mitigations.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 5 of 9\n\nFollow the recommendations within the Microsoft Technique Profile: Abuse of remote monitoring and management\r\ntools to mitigate the use of unauthorized RMMs in the environment.\r\nUse Windows Defender Application Control or AppLocker to create policies to block unapproved IT management\r\ntools\r\nBoth solutions include functionality to block specific software publisher certificates: WDAC file rule\r\nlevels allow administrators to specify the level at which they want to trust their applications, including listing\r\ncertificates as untrusted. AppLocker’s publisher rule condition is available for files that are digitally signed,\r\nwhich can enable organizations to block non-approved RMM instances that include publisher information.\r\nMicrosoft Defender for Endpoint also provides functionality to block specific signed applications using\r\nthe block certificate action.\r\nFor approved RMM systems used in your environment, enforce security settings where it is possible to implement\r\nmultifactor authentication (MFA).\r\nConsider searching for unapproved RMM software installations (see the Advanced hunting section). If an\r\nunapproved installation is discovered, reset passwords for accounts used to install the RMM services. If a system-level account was used to install the software, further investigation may be warranted.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge\r\nmajority of new and unknown variants.\r\nTurn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.\r\nEnable Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 to quarantine sent mail in response to\r\nnewly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that\r\nhave already been delivered to mailboxes.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which\r\nidentifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.\r\nMicrosoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common\r\nattack techniques used by threat actors:\r\nUse advanced protection against ransomware\r\nBlock process creations originating from PsExec and WMI commands. Some organizations may experience\r\ncompatibility issues with this rule on certain server systems but should deploy it to other systems to prevent\r\nlateral movement originating from PsExec and WMI.\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nYou can assess how an attack surface reduction rule might impact your network by opening the security\r\nrecommendation for that rule in threat and vulnerability management. In the recommendation details pane, check the\r\nuser impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode\r\nwithout adverse impact to user productivity.\r\nMicrosoft Defender XDR detections   \r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide\r\nintegrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and\r\nrespond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nTactic  Observed activity  Microsoft Defender coverage \r\nInitial\r\nAccess\r\nPhishing Email detected by\r\nMicrosoft Defender for Office\r\nMicrosoft Defender for Office365 – A potentially\r\nmalicious URL click was detected – A user clicked\r\nthrough to a potentially malicious URL – Email\r\nmessages containing malicious URL removed after\r\ndelivery – Email messages removed after delivery –\r\nEmail reported by user as malware or phish\r\n Execution\r\n– PowerShell running encoded\r\ncommands and downloading\r\nthe payloads – ScreenConnect\r\nexecuting suspicious\r\ncommands  \r\nMicrosoft Defender for Endpoint – Suspicious\r\nPowerShell download or encoded command execution  –\r\nSuspicious command execution via ScreenConnect    \r\nMalware\r\nMalicious applications\r\nimpersonating workplace\r\napplications detected\r\nMicrosoft Defender for Endpoint – An active\r\n‘Kepavll’ malware was detected – ‘Screwon’ malware\r\nwas prevented  \r\nThreat intelligence reports\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 6 of 9\n\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nHunting queries \r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following queries to find related activity in their environment:\r\nUse the below query to discover files digitally signed by TrustConnect Software PTY LDT\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nDeviceFileCertificateInfo\r\n| where Issuer == \"TrustConnect Software PTY LTD\" or Signer == \"TrustConnect Software PTY LTD\"\r\n| join kind=inner (\r\nDeviceFileEvents\r\n| project SHA1, FileName, FolderPath, DeviceName, TimeGenerated\r\n) on SHA1\r\n| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, Issuer, Signer\r\nUse the below query to identify the presence of masqueraded workplace applications\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nlet File_Hashes_SHA256 = dynamic([\r\n\"ef7702ac5f574b2c046df6d5ab3e603abe57d981918cddedf4de6fe41b1d3288\",\r\n\"4c6251e1db72bdd00b64091013acb8b9cb889c768a4ca9b2ead3cc89362ac2ca\",\r\n\"86b788ce9379e02e1127779f6c4d91ee4c1755aae18575e2137fb82ce39e100f\",\r\n\"959509ef2fa29dfeeae688d05d31fff08bde42e2320971f4224537969f553070\",\r\n\"5701dabdba685b903a84de6977a9f946accc08acf2111e5d91bc189a83c3faea\",\r\n\"6641561ed47fdb2540a894eb983bcbc82d7ad8eafb4af1de24711380c9d38f8b\",\r\n\"98a4d09db3de140d251ea6afd30dcf3a08e8ae8e102fc44dd16c4356cc7ad8a6\",\r\n\"9827c2d623d2e3af840b04d5102ca5e4bd01af174131fc00731b0764878f00ca\",\r\n\"edde2673becdf84e3b1d823a985c7984fec42cb65c7666e68badce78bd0666c0\",\r\n\"c6097dfbdaf256d07ffe05b443f096c6c10d558ed36380baf6ab446e6f5e2bc3\",\r\n\"947bcb782c278da450c2e27ec29cb9119a687fd27485f2d03c3f2e133551102e\",\r\n\"36fdd4693b6df8f2de7b36dff745a3f41324a6dacb78b4159040c5d15e11acb7\",\r\n\"35f03708f590810be88dfb27c53d63cd6bb3fb93c110ca0d01bc23ecdf61f983\",\r\n\"af651ebcacd88d292eb2b6cbbe28b1e0afd1d418be862d9e34eacbd65337398c\",\r\n\"c862dbcada4472e55f8d1ffc3d5cfee65d1d5e06b59a724e4a93c7099dd37357\"]);\r\nDeviceFileEvents\r\n| where SHA256 has_any (File_Hashes_SHA256)\r\nUse the below query to identify the malicious network connection\r\n1\r\n2\r\nDeviceNetworkEvents\r\n| where RemoteUrl has \"trustconnectsoftware.com\"\r\nUse the below query to identify the suspicious executions of ScreenConnect Backdoor via PowerShell\r\n1 DeviceProcessEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 7 of 9\n\n2\r\n3\r\n| where InitiatingProcessCommandLine has_all (\"Invoke-WebRequest\",\"-OutFile\",\"Start-Process\",\r\n\"ScreenConnect\", \".msi\") or ProcessCommandLine has_all (\"Invoke-WebRequest\",\"-OutFile\",\"Start-Process\",\r\n\"ScreenConnect\", \".msi\")\r\n| project-reorder Timestamp,\r\nDeviceId,DeviceName,InitiatingProcessCommandLine,ProcessCommandLine,InitiatingProcessParentFileName\r\nUse the below query to identify the suspicious deployment of ScreenConnect and Tactical RMM\r\n1\r\n2\r\n3\r\n4\r\n5\r\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has_all (\"ScreenConnect\",\"Tactical RMM\",\"access\",\"guest\") or\r\nProcessCommandLine has_all (\"ScreenConnect\",\"Tactical RMM\",\"access\",\"guest\")\r\n| where InitiatingProcessCommandLine !has \"screenconnect.com\" and ProcessCommandLine !has\r\n\"screenconnect.com\"\r\n| where InitiatingProcessParentFileName in (\"services.exe\", \"Tactical RMM.exe\")\r\n| project-reorder Timestamp,\r\nDeviceId,DeviceName,InitiatingProcessCommandLine,ProcessCommandLine,InitiatingProcessParentFileName\r\nIndicators of compromise\r\n                                       Indicators\r\nef7702ac5f574b2c046df6d5ab3e603abe57d981918cddedf4de6fe41b1d32884c6251e1db72bdd00b64091013acb8b9cb889c768a4ca9b2ead3cc893\r\nhxxps[://]store-na-phx-1[.]gofile[.]io/download/direct/fc087401-6097-412d-8c7f-e471c7d83d7f/Onchain-installer[.]exehxxps[://]waynelimck[.]c\r\nhxxps[://]yad[.]ma/Union/Colony/complete[.]phphxxps[://]www[.]metrosuitesbellavie[.]com/crewe/cjo/yte/MsTeams[.]exe\r\nTrustconnectsoftware[.]com\r\nturn[.]zoomworkforce[.]usrightrecoveryscreen[.]topsmallmartdirectintense[.]comr9[.]virtualonlineserver[.]orgapp[.]ovbxbzuaiopp[.]onlineserver\r\n136[.]0[.]157[.]51154[.]16[.]171[.]203173[.]195[.]100[.]7766[.]150[.]196[.]166\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 8 of 9\n\nPacdashed[.]com  \r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI maps) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.\r\nReferences\r\nIntel Article – Microsoft Defender\r\nThis research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kandalai.\r\nLearn more \r\nReview our documentation to learn more about our real-time protection capabilities and see how to enable them within\r\nyour organization.   \r\nMicrosoft 365 Copilot AI security documentation \r\nHow Microsoft discovers and mitigates evolving attacks against AI guardrails \r\nLearn more about securing Copilot Studio agents with Microsoft Defender  \r\nLearn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps |\r\nMicrosoft Learn   \r\nExplore how to build and customize agents with Copilot Studio Agent Builder \r\nSource: https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/"
	],
	"report_names": [
		"signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/35121aadb9c856803425be7d1e09de3c5c3351a2.pdf",
		"text": "https://archive.orkl.eu/35121aadb9c856803425be7d1e09de3c5c3351a2.txt",
		"img": "https://archive.orkl.eu/35121aadb9c856803425be7d1e09de3c5c3351a2.jpg"
	}
}