A sophisticated phishing campaign is exploiting the trust ingrained in familiar work applications, disguising malware as legitimate Microsoft Teams, Zoom, and Adobe Acrobat Reader updates. This advanced threat, identified by Microsoft Defender Experts, utilizes digitally signed malicious files that appear authentic, making them incredibly difficult for both end-users and basic security software to detect. The campaign, which began in February 2026, employs professionally crafted emails centered on common workplace scenarios like meeting invitations and financial documents to trick recipients into downloading these seemingly innocuous files.
The attackers have meticulously chosen filenames that closely mimic legitimate applications, such as “msteams.exe,” “zoomworkspace.clientsetup.exe,” and “adobereader.exe.” Crucially, these malicious files are signed with a legitimate-looking Extended Validation (EV) certificate issued to a company named TrustConnect Software PTY LTD. This digital signature lends an air of trustworthiness, making it highly probable that users will execute the malware without suspicion. Microsoft researchers have confirmed a deliberate, multi-vector approach by an unknown threat actor leveraging brand recognition and the perceived security of digital signatures as primary attack vectors.
How Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors
Once executed, the signed malware silently deploys potent Remote Monitoring and Management (RMM) tools, including ScreenConnect, Tactical RMM, and Mesh Agent. The adoption of these RMM tools grants the attacker persistent and stealthy control over compromised enterprise systems. This strategy bypasses many traditional detection methods, as RMM tools are legitimate software platforms often used by IT departments for remote support and system management. When repurposed for malicious ends, they become ideal backdoors for attackers.
The implications of this campaign are far-reaching. With RMM tools firmly established, attackers gain the ability to remotely control affected systems, move laterally across the network, exfiltrate sensitive corporate data, and deploy additional malicious payloads without triggering common security alerts. The combination of convincing phishing lures, the use of well-known brand names, valid digital certificates, and the exploitation of trusted RMM frameworks makes this campaign particularly challenging to interdict at the initial point of infection.
Installation and Stealthy Persistence
Upon execution, the masqueraded malware follows a calculated sequence to establish a deep foothold within the compromised operating system. Initially, the executable creates a secondary copy of itself within the “C:Program Files” directory, mimicking the installation of a legitimate application. This relocation helps to obscure its origin as a downloaded file.
Further solidifying its presence, the malware registers this copied executable as a Windows service. This ensures that the backdoor automatically launches every time the system reboots, providing continuous access for the attacker. As an additional layer of persistence, a registry Run key is created under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun, intentionally named “TrustConnectAgent” and pointing directly to the disguised executable. This mechanism guarantees automatic startup on system boot.
The malware then initiates an outbound connection to a command and control (C2) domain controlled by the attacker, identified as trustconnectsoftware[.]com. Through this channel, encoded PowerShell commands are downloaded. These commands instruct the system to retrieve ScreenConnect client installer files (.msi) and place them in the system’s temporary folder. The Windows utility “msiexec.exe” is then employed to silently execute these installers.
This process embeds multiple registry entries under HKLMSYSTEMControlSet001ServicesScreenConnect Client, effectively hardwiring the ScreenConnect backdoor into the operating system’s services. This ensures the backdoor’s survival through system restarts and maintains uninterrupted remote access for the threat actor. This strategic placement makes the backdoor resilient and difficult to remove.
To further fortify its access and provide redundant control channels, the threat actor utilizes the same PowerShell pipeline to deploy Tactical RMM. This, in turn, installs another remote access solution, MeshAgent. This layered approach is a calculated move; if one backdoor is detected and neutralized, the others remain operational, ensuring the attacker’s continued access to the compromised environment. This redundancy significantly complicates containment efforts for security teams.
Organizations are advised to implement robust security measures to counter such sophisticated threats. Blocking unapproved RMM tools through Windows Defender Application Control or AppLocker is paramount. Multifactor authentication should be enforced on all approved RMM systems to prevent unauthorized access. Enabling Microsoft Defender for Office 365 features like Safe Links, Safe Attachments, and Zero-hour Auto Purge can intercept malicious emails before users interact with them. Maintaining cloud-delivered protection on endpoint antivirus solutions is crucial for rapidly detecting new malware variants. Furthermore, deploying attack surface reduction rules that target untrusted executables and common lateral movement techniques like PsExec or WMI-based process creation across all endpoints can significantly bolster defenses against RMM-based attacks.