Overview

Multiple threat intelligence sources have identified an active, broad-spectrum campaign targeting enterprise environments across the United States, Canada, the United Kingdom, and Australia. The campaign leverages phishing emails, malicious web downloads, and search engine poisoning to deliver malicious payloads that silently install legitimate Remote Monitoring and Management (RMM) tools, enrolling victim machines into attacker-controlled tenants for persistent, covert remote access.

What makes this campaign particularly dangerous is that the deployed tools; including Datto RMM (CentraStage), ScreenConnect, Tactical RMM, and MeshAgent are genuine, commercially available software. Their network traffic blends with legitimate IT management activity, and their binaries are digitally signed, allowing them to bypass signature-based endpoint detection and many email security controls.

Attackers now use RMMs as a unified command-and-control hub, not just a delivery mechanism. Once enrolled in an attacker-controlled tenant, every additional host in that tenant is reachable with a single console push. No credential theft, no network scanning, no SMB or RDP pivoting required.

Identified Campaign Variants:

Three distinct but related campaign variants have been documented. They share a common post-execution playbook but differ in their initial delivery mechanism.

  • Variant A: TrustConnect Signed Malware 
    • Lure: Phishing emails: fake Teams/Zoom meeting invites, blurred PDF attachments with “Open in Adobe” button, project bid notifications, invoice emails (T1566.001, T1566.002)
    • Delivery: Executables disguised as msteams.exe, adobereader.exe, zoomworkspace.clientsetup.exe, invite.exe (T1036.007)
    • Signing: EV certificate issued to TrustConnect Software PTY LTD; fake company with AI-generated website; cert revoked Feb 6, 2026 but pre-signed binaries remain valid (T1553.002)
    • Payload: TrustConnect RMM (RAT) deploys ScreenConnect, Tactical RMM, and/or MeshAgent as secondary persistent access channels (T1219, T1547.001)
    • C2: trustconnectsoftware[.]com and attacker-hosted ScreenConnect servers (T1219)
  • Variant B: ScreenConnect via SmartScreen Evasion
    • Lure: Spoofed U.S. Social Security Administration email with malicious .cmd attachment; also observed with Zoom/Teams meeting lures (T1566.001)
    • Delivery: .cmd script that auto-elevates via UAC, disables Windows SmartScreen via registry modification, strips Mark-of-the-Web, downloads MSI over HTTP (T1548.002, T1562.001)
    • Payload: ScreenConnect MSI silently installed; client connects to attacker C2 with custom system.config parameters (server address, port, encryption key) (T1219, T1059.001)
    • C2: dof-connect[.]top on port 8041 (T1219)
    • Post-access: Data encrypted in chunks and exfiltrated to C2; RAT-style behaviour confirmed (T1041)
  • Variant C: Malicious Ad / SEO Poisoning Download Ongoing
    • Lure: User searches for common software (Chrome, Notepad++, Teams, Adobe Reader, Zoom, PuTTY) attacker domain appears at top of search results (T1608.006)
    • Delivery: Fake download page closely mimics legitimate vendor site; prompts “update required” or provides bundled malicious installer (T1036.005)
    • Payload: Varies: RMM installer (Datto RMM, ScreenConnect, LogMeIn), info-stealers, or backdoors depending on attacker; double-extension tricks common (T1219, T1036.007)
    • Target: Particularly effective against IT staff searching for tools – elevated privileges amplify the blast radius of a single click (T1078)
  • Variant D: Fake Video Meeting “Update Required”
    • Lure: User is sent a meeting link; upon attempting to join, told their app is “out of date or incompatible”, must install an update to proceed (T1566.002)
    • Psychology: Urgency of an already-started meeting leads users to bypass security warnings to avoid missing the session (T1204.002)
    • Payload: Datto RMM, LogMeIn Unattended, or ScreenConnect delivered as the “update”; digitally signed, passes AV checks (T1219, T1553.002)
    • Post-access: Full administrative remote access: screen view, file transfer, shell execution, lateral phishing from victim’s own account (T1219, T1534)
Common Post-Execution Attack Chain:

Despite differences in initial delivery, all variants converge on a near-identical post-execution playbook once the victim runs the initial payload:

  1. Delivery: Phishing email or poisoned search result directs user to attacker-controlled download page
  2. Execution: Signed or disguised executable runs; TrustConnect / ScreenConnect MSI silently invoked via msiexec
  3. Persistence: Binary copies itself to Program Files; registers as a Windows service and creates a Run key under HKLM
  4. C2 Established: Outbound HTTPS to attacker-controlled RMM tenant or ScreenConnect server; encoded PS1 payloads downloaded
  5. Defence Evasion: SmartScreen disabled via registry; Mark-of-the-Web stripped; RMM tools hidden from Add/Remove Programs
  6. 2nd Channel: Secondary RMM deployed (ScreenConnect + Tactical RMM + MeshAgent) for redundancy; if one channel is removed, access is maintained
  7. Hands-on Activity: Attacker uses RMM console for screen capture, file access, shell commands, and credential harvesting
  8. Lateral Move / Impact: Pivot to additional hosts via enrolled RMM tenant; ransomware staged or lateral phishing launched from victim account
Impact

Successful exploitation of this campaign gives an attacker capabilities equivalent to a local IT administrator on the victim host, including:

  • Full remote management: screen view, keyboard control, file transfer, and arbitrary command execution as SYSTEM (T1219)
  • Active Directory enumeration: rapid identification of high-value users, computers, and groups for further targeting (T1087, T1069)
  • Persistent, covert access: dual RMM channels, both hidden from standard software inventory; survives reboots (T1547.001, T1562.001)
  • Data exfiltration: files and credentials accessible via file manager and shell; session data encrypted in transit (T1041, T1005)
  • Lateral movement without credentials: RMM tenant provides pivot capability across all enrolled hosts simultaneously (T1078, T1570)
  • Ransomware staging: Akira and other ransomware groups documented installing Datto RMM post-compromise as a precursor to ransomware deployment (T1486)
  • Lateral phishing: attacker sends phishing emails from the victim’s own account, bypassing external email controls (T1534)

 

Affected Devices

Affected Platforms & Scope:

Unlike traditional vulnerability-based attacks, this campaign does not exploit a specific software flaw and carries no associated CVEs. Instead, it weaponises user trust and the perceived legitimacy of commercially available RMM platforms, making it particularly difficult to detect and prevent through technical controls alone. Any organisation whose employees can download and execute files on Windows endpoints should consider itself within scope of this threat.

  • Operating System: Microsoft Windows (all versions supporting .exe/.msi execution)
  • Targeted Sectors: Enterprise broadly, healthcare and technology sectors saw the largest increases; government, logistics, and financial services also confirmed targets
  • Targeted Personas: IT staff, engineers, and business users who regularly download software or respond to meeting/document notifications
  • Deployment & Managed environments: Both self-hosted and cloud-managed deployments are vulnerable; the attack targets the endpoint, not the RMM platform itself

 

Recommended Remediations

ctrl:cyber strongly recommends the following actions to mitigate risk of exploitation:

  • Remove Unapproved RMM Software:  Standard software inventory tools and the Add/Remove Programs list should not be used as the sole source of truth, as threat actors in this campaign have been observed using the HideUL utility to remove entries from these interfaces. File system and registry checks should be used directly for accurate results.
  • Block Campaign IOCs at Perimeter and DNS:
    • trustconnectsoftware[.]com and all associated subdomains
    • dof-connect[.]top and any *.top, *.icu, *.xyz domains used by ScreenConnect client services
    • Outbound connections on port 8041: this is not a standard RMM port and is a reliable indicator of malicious ScreenConnect usage
  • Implement RMM Allowlisting via WDAC or AppLocker: This is the primary preventative control recommended by Microsoft against this class of attack. Use Windows Defender Application Control (WDAC) or AppLocker
  • Ensure all legitimate RMM consoles enforce multi-factor authentication
  • Harden Browser and Download Controls
  • Security Awareness: Recognising RMM Phishing Lures:“Fake meeting invites”, “Blurred PDF attachments”, “Software update prompts from external websites”

References: Microsoft, Proofpoint, Knowbe4