Description

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Tommy Madjar, Senior Threat Researcher from Proofpoint, to unpack one of the strangest malware investigations of the year: TrustConnect RAT.

What started as a seemingly legitimate remote management tool quickly unraveled into a bizarre, fast-evolving ecosystem of “vibe-coded” malware. TrustConnect masqueraded as a polished RMM platform—complete with fake testimonials, inflated customer counts, and even an extended validation (EV) code-signing certificate to appear trustworthy. But beneath the surface? Sloppy AI-generated web panels, exposed administrative pages, and a backend that literally labeled infected machines as “victims.”

Tommy walks through how the team discovered the malware, why attackers are increasingly building their own fake RMM platforms instead of abusing legitimate ones, and how the use of EV certificates helped the malware evade detection across security tools. 

The conversation also dives into:

• The explosion of legitimate RMM abuse in cybercrime
  
  
• How AI-assisted “vibe coding” is lowering the barrier to entry for malware development
  
  
• The surprising operational security failures that exposed both the malware author and their customers
  
  
• Connections to past crimeware activity and possible ties to known actors
  
  
• The rapid evolution of the “Connect” malware family, including newly spotted variants
  
  
• How Proofpoint disrupted the operation by working with partners to revoke certificates and take down infrastructure

Along the way, the team explores a broader theme: what happens when threat actors move fast with AI—but don’t fully understand security fundamentals? 

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!