Signed malware impersonating workplace apps deploys RMM backdoors
Essential information
- Published
- 04/03/2026 00:20
- Modified
- 04/03/2026 11:15
- Tags
- 2026-03-04 digital signatures lateral movement mesh agent persistence phishing rmm screenconnect tactical rmm workplace impersonation
- Related entities
- 20 observables, 14 techniques (mitre), 3 malware, 11 others
Description
Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled attackers to establish persistence and move laterally within compromised environments. The malware was signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD. The campaigns demonstrate how familiar branding and trusted digital signatures can be exploited to bypass user suspicion and gain an initial foothold in enterprise networks.