News
Signed Malware Impersonating Workplace Apps Used To Deploy RMM Backdoors
Microsoft's Defender Security Research Team has identified a series of phishing campaigns in which an unknown attacker used digitally signed malware masked as common workplace applications to deploy remote monitoring and management tools as persistent backdoors on targeted systems.
The campaigns, spotted in February and reported on this week, used meeting invitations, phony invoices and fake PDF attachments to direct users toward downloading harmful executables masquerading as Microsoft Teams, Zoom, Adobe Acrobat Reader and Google Meet installers. Each file was digitally signed using an Extended Validation certificate issued to an entity named TrustConnect Software PTY LTD -- a credential that lent the payloads an air of legitimacy and helped them bypass initial user suspicion.
"These campaigns demonstrate how familiar branding and trusted digital signatures can be abused to bypass user suspicion and gain an initial foothold in enterprise environments," said Microsoft in a blog post on Monday.
After being launched, the fake installers deployed ScreenConnect, Tactical RMM and MeshAgent -- legitimate remote access tools that attackers used as backdoors. The malware registered itself as a Windows service under familiar-looking paths such as C:\Program Files\Adobe Acrobat Reader\AdobeReader.exe and created a Run registry key to maintain persistence after reboots. It then established outbound connections to the attacker-controlled command-and-control domain trustconnectsoftware[.]com.
In one campaign variant, victims received a phishing email with a blurred PDF attachment. A button labeled "Open in Adobe" redirected users to a fake Adobe download page that automatically delivered the signed malicious executable disguised as a software update. Another campaign used forged Microsoft Teams and Zoom meeting invitations to distribute similar fake installer packages.
Microsoft said analysis of the ScreenConnect payloads showed that the executable files were signed with certificates that had already been revoked at the time of deployment. The company noted that "this pattern -- an unsigned installer followed by executables bearing invalidated signatures -- has been consistently observed in similar intrusions."
The attacker did not stop at a single access mechanism. To guard against detection and removal, the actor simultaneously deployed Tactical RMM, which in turn installed MeshAgent, providing additional remote access channels. "The use of multiple RMM frameworks within a single intrusion demonstrates a deliberate strategy to ensure continuous access, diversify C2 capabilities, and maintain operational resilience even if one access mechanism is detected or removed," Microsoft said.
The activity comes amid growing abuse of legitimate remote management tools. In February 2026, Microsoft’s Defender team documented a similar case in which attackers exploited vulnerabilities in SolarWinds Web Help Desk to gain initial access, then deployed a Zoho ManageEngine RMM agent to maintain control. Researchers warned that a single exposed application can provide a pathway to full domain compromise.
Microsoft said the campaigns also underscore how attackers are abusing trusted code-signing certificates as a social engineering tactic, highlighting what security experts say are limits in the traditional trust model.
"A valid signature still tells us something important about provenance, but it does not tell us the whole story," said Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Ariz.-based provider of certificate lifecycle management, in an emailed statement. "Security teams must treat it as a single data point within a broader behavioral profile."
Soroko noted that a more robust defense requires evaluating signatures alongside behavioral telemetry, infrastructure reputation and update cadence. "Trust emerges from the convergence of identity, behavior, and reputation," he said, "and this works well in zero trust models using blended defenses."
Microsoft recommends orgs audit their environments for unapproved RMM software installations and enforce application control policies using Windows Defender Application Control or AppLocker. The company also advises turning on cloud-delivered protection in Microsoft Defender Antivirus, enabling Safe Links and Safe Attachments in Defender for Office 365, and requiring multifactor authentication for approved RMM systems.