A newly uncovered phishing campaign is actively targeting enterprise users by disguising malware as widely used workplace applications, including Microsoft Teams, Zoom, and Adobe Acrobat Reader. <\/p>\n
What makes this threat stand out is that the malicious files carry legitimate-looking digital signatures, making them harder for everyday users and even basic security tools to flag.<\/p>\n
The campaign first surfaced in February 2026, when multiple phishing waves began hitting organizations with emails built around meeting invitations, financial documents, invoices, and routine workplace notices. <\/p>\n
Each message was crafted to convince the recipient to download what looked like a familiar software update or a standard application installer. <\/p>\n
The malicious files carried names such as\u00a0 Every one of them was digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD, which the threat actor abused to make the files appear legitimate to unsuspecting victims.<\/p>\n Microsoft Defender Experts identified these campaigns<\/a> through Defender telemetry and confirmed a deliberate, multi-vector effort by an unknown threat actor. <\/p>\n Researchers noted that the attacker leaned on brand recognition as the core weapon \u2014 when a file carries a valid digital signature and looks like a known app, most users do not question it. <\/p>\n Once executed, the signed malware silently deployed remote monitoring<\/a> and management (RMM) tools, specifically ScreenConnect, Tactical RMM, and Mesh Agent, giving the attacker persistent and stealthy control over the compromised machine.<\/p>\n The reach of this campaign goes well beyond a single infected device. With RMM tools<\/a> running in the background, the attacker could remotely control the system, move laterally across the network, harvest sensitive data, and push additional payloads \u2014 all without generating the alerts that would normally warn the victim or the security team. <\/p>\n Since these are legitimate software platforms repurposed for malicious ends, detection tools relying on signature-based scanning often let them pass. <\/p>\n The combination of phishing lures<\/a>, familiar brand names, valid certificates, and trusted RMM frameworks made this campaign very hard to stop at the point of initial entry.<\/p>\n Once a victim ran one of the masqueraded applications, the malware followed a deliberate series of steps to entrench itself in the operating system. <\/p>\n The executable first created a secondary copy under\u00a0 It then registered that copy as a Windows service, ensuring the backdoor would start automatically on every system reboot. <\/p>\n As an additional persistence measure, a registry Run key was written at\u00a0 The malware then opened an outbound connection to the attacker-controlled command and control (C2) domain\u00a0 Encoded PowerShell commands<\/a> pulled ScreenConnect client installer files ( This embedded multiple registry entries under\u00a0 To reinforce its hold on the environment, the threat actor used the same PowerShell pipeline to deploy Tactical RMM, which in turn installed MeshAgent as a third remote access channel. <\/p>\n This layered approach was calculated \u2014 if one backdoor is detected and removed, the others keep running without interruption.<\/p>\n Organizations should block unapproved RMM tools using Windows Defender<\/a> Application Control or AppLocker. Multifactor authentication must be enforced on all approved RMM systems. <\/p>\n Safe Links, Safe Attachments, and Zero-hour Auto Purge should be enabled to intercept malicious emails before users interact with them. Cloud-delivered protection should remain active on endpoint antivirus to catch new malware variants quickly. <\/p>\n Attack surface reduction rules targeting untrusted executables and PsExec or WMI-based process creation should be deployed across all endpoints.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nmsteams.exe<\/code>,\u00a0zoomworkspace.clientsetup.exe<\/code>,\u00a0adobereader.exe<\/code>,\u00a0trustconnectagent.exe<\/code>, and\u00a0invite.exe<\/code>\u00a0\u2014 all chosen to mirror real and trusted applications. <\/p>\n![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgL8pwdscbZyxfPJ5f52RnGXaNg0gIBFRQLBTmq-9U_16nxToGiuqAhROpPr_wNNTRfMV3vIc36kvPhRP1AlAHq4HY9JmTgZy5ZOaVq5UFfqlHa_EduN4ymW8YGxEMHQzwg6m0sM2iW6ONR6SehzNj7wL2sNsfDochAa9zcAmXNmG9mU19zk5S6civ57FY\/s16000\/Attack%2520chain%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
How the Malware Installs and Stays Hidden<\/strong><\/h2>\n
C:Program Files<\/code>, making it look like a properly installed program rather than a file dropped from a browser. <\/p>\nHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun<\/code>\u00a0under the value name\u00a0TrustConnectAgent<\/code>, pointing directly to the disguised executable.<\/p>\n![\"Registry](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjEihwz5Y1QnpDPXYy2rVpNdvjE1z_dPALKPy3cf_X5kTicc1h6VofO4NJWfINYEAIHFQYRg_E65rKmev1Kh3BAMUqTztGDIlZMARUPF0cgsnCGBoWWwkKpgkb7WNnBeodxYocFAXEDEcIUNzgCP40oh7VpxaE7ijttf0aghqY0sOVPUOGDyyJEFBA2K5E\/s16000\/Registry%2520Run%2520key%2520configured%2520to%2520auto-launch%2520the%2520disguised%2520executable%2520at%2520system%2520startup%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
trustconnectsoftware[.]com<\/code>. <\/p>\n.msi<\/code>) into the system\u2019s temporary folder, and the Windows\u00a0msiexec.exe<\/code>\u00a0utility executed them silently. <\/p>\nHKLMSYSTEMControlSet001ServicesScreenConnect Client<\/code>, hardwiring the backdoor into the operating system to survive restarts and maintain continuous access.<\/p>\n![\"Registry](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2oX7y0cjwhZebNo15kOM4HvQ6WaRWb9N8PX-UmyTemaMigtPC9G9hSyXA5WRRcgdMCGTU52iMLpHksIBtDtito05borpCptIrYZgI1CeFDxps50ZJhXkO1mMEZrNKaev9FxLND0L7lDuq6U13CnpRd11HNdE9cJ1GCMpsxp5ts_WB8Fs4ouu57MTG_fA\/s16000\/Registry%2520entries%2520created%2520during%2520the%2520ScreenConnect%2520backdoor%2520installation%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")