(Don't) TrustConnect: It's a RAT in an RMM Hat

    Friday, February 20, 2026 In: Threat Research Print

    Date: 02/20/2026

    Severity: High

    Summary

    Researchers identified a new malware-as-a-service (MaaS) posing as a legitimate remote monitoring and management (RMM) tool called TrustConnect. Its so-called business website—likely auto-generated—actually serves as the login portal for the malware platform. Access to TrustConnect was being marketed for $300 per month at the time of discovery. Based on the developer’s profile, malware capabilities, and ecosystem analysis, investigators assess with moderate confidence that the actor also used RedLine Stealer., As working with intelligence partners, disrupted parts of the malware’s infrastructure, temporarily impacting operations. However, the threat actor showed resilience by launching another fake RMM site promoting malware named DocConnect.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    adobe.caladzy.com

    ametax.net

    worldwide-www19.pages.dev

    vurul.click

    networkservice.cyou

    statementstview.online

    elev8souvenirs.com

    https://memphiswawu.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest

    https://aerobickarlaurbanovas.top/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=

    https://smallmartdirectintense.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=

    http://192.159.99.83/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest

    http://192.227.211.41:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest 

    trustconnectsoftware.com

    IP Address : 

    178.128.69.245

    Hash : 

    cee6895f7df01da489c10bf5b83770ceede79ed4e1c8c4f8ea9787a4d035c79b

    cf85a4816715b8fa6c1eb5b50d1c70cfef116522742f6f1c77cb8689166b9f40

    162c0d3e671ddf4f7f3ae5681da5272111eab6588bc53843cc604fc386634594

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "trustconnectsoftware.com" or url like "trustconnectsoftware.com" or siteurl like "trustconnectsoftware.com" or domainname like "networkservice.cyou" or url like "networkservice.cyou" or siteurl like "networkservice.cyou" or domainname like "adobe.caladzy.com" or url like "adobe.caladzy.com" or siteurl like "adobe.caladzy.com" or domainname like "http://192.159.99.83/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or url like "http://192.159.99.83/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or siteurl like "http://192.159.99.83/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or domainname like "statementstview.online" or url like "statementstview.online" or siteurl like "statementstview.online" or domainname like "https://smallmartdirectintense.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=" or url like "https://smallmartdirectintense.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=" or siteurl like "https://smallmartdirectintense.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=" or domainname like "vurul.click" or url like "vurul.click" or siteurl like "vurul.click" or domainname like "ametax.net" or url like "ametax.net" or siteurl like "ametax.net" or domainname like "https://memphiswawu.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or url like "https://memphiswawu.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or siteurl like "https://memphiswawu.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or domainname like "worldwide-www19.pages.dev" or url like "worldwide-www19.pages.dev" or siteurl like "worldwide-www19.pages.dev" or domainname like "elev8souvenirs.com" or url like "elev8souvenirs.com" or siteurl like "elev8souvenirs.com" or domainname like "https://aerobickarlaurbanovas.top/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=" or url like "https://aerobickarlaurbanovas.top/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=" or siteurl like "https://aerobickarlaurbanovas.top/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest=" or domainname like "http://192.227.211.41:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or url like "http://192.227.211.41:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest" or siteurl like "http://192.227.211.41:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest"

    Detection Query 2 :

    dstipaddress IN ("178.128.69.245") or srcipaddress IN ("178.128.69.245")

    Detection Query 3 :

    sha256hash IN ("162c0d3e671ddf4f7f3ae5681da5272111eab6588bc53843cc604fc386634594","cee6895f7df01da489c10bf5b83770ceede79ed4e1c8c4f8ea9787a4d035c79b","cf85a4816715b8fa6c1eb5b50d1c70cfef116522742f6f1c77cb8689166b9f40")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat


    Tags

    MalwareRATRemote monitoring and management (RMM)MaaS

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.