Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors

Summary

Security researchers uncovered a phishing campaign distributing digitally signed malware disguised as legitimate workplace applications such as Microsoft Teams, Zoom, and Adobe Acrobat Reader.

The attackers used valid Extended Validation (EV) code-signing certificates to make the malicious executables appear legitimate, helping them bypass user suspicion and some security controls.

Once executed, the malware installs Remote Monitoring and Management (RMM) tools to establish persistent remote access to the victim system.

Research Source

According to Microsoft Defender Experts and reporting by Cyber Security News, the campaign began in February 2026 and targeted enterprise users through phishing emails disguised as meeting invitations, invoices, financial documents, and routine workplace communications.

The attackers leveraged trusted brand names and legitimate digital signatures to increase the success rate of the phishing campaign.

Technical Details

The malicious files were disguised as legitimate application installers with filenames such as:
• msteams.exe
• zoomworkspace.clientsetup.exe
• adobereader.exe
• trustconnectagent.exe
• invite.exe

All files were signed using an EV certificate issued to TrustConnect Software PTY LTD, making them appear legitimate to users and certain security tools.

Once executed, the malware copies itself into:
‘C:\Program Files’ to mimic a legitimate application installation.

Persistence mechanisms include:
• Creating a Windows service for automatic startup
• Adding a Registry Run key at:

‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ with the value TrustConnectAgent.

The malware then connects to the command-and-control domain:

‘trustconnectsoftware[.]com’

Observed Attack Activity

Threat Actor
• Currently unknown

Initial Access
• Phishing emails containing malicious installers disguised as common workplace software

Execution & Persistence
• Copies executable to Program Files
• Registers as a Windows service
• Adds Registry Run key for persistence

Command and Control
• Outbound communication with trustconnectsoftware[.]com

Malware Deployment

The malware installs multiple RMM backdoors:
• ScreenConnect
• Tactical RMM
• Mesh Agent

Post-Exploitation Capabilities

• Remote system control
• Lateral movement across networks
• Data exfiltration
• Deployment of additional payloads
• Persistent access through multiple backdoors

The use of multiple RMM tools simultaneously ensures continued access if one backdoor is removed.

Impact

Successful compromise may allow attackers to:
• Gain persistent remote access to enterprise endpoints
• Move laterally within corporate networks
• Harvest sensitive data
• Deploy additional malware or ransomware
• Maintain stealth access using legitimate remote administration tools

Because RMM platforms are legitimate software, they may evade detection by traditional signature-based security solutions.

Mitigation

Recommended defensive measures include:
• Block unauthorized RMM tools using Windows Defender Application Control (WDAC) or AppLocker
• Enable Multi-Factor Authentication (MFA) on all approved remote management platforms
• Deploy Safe Links and Safe Attachments protections in email systems
• Enable Zero-hour Auto Purge (ZAP) for malicious email removal
• Enable cloud-delivered protection for endpoint antivirus
• Implement Attack Surface Reduction (ASR) rules to block suspicious process behavior
• Monitor for suspicious installation of RMM tools across endpoints

References:

Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors