IN February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor that used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attackers distributed malicious executables masquerading as Teams, Zoom, or other trusted software, with files digitally signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD.
Once run, the software installed remote monitoring and management tools, including ScreenConnect, Tactical RMM, and Mesh Agent, enabling persistent remote access and lateral movement. The malware created a Run key and registered a Windows service to achieve startup persistence, and communications targeted an attacker-controlled C2 domain.
Microsoft recommends mitigations such as blocking unapproved RMMs with WDAC or AppLocker, enabling MFA for approved RMM systems, and turning on cloud-delivered protection and Defender XDR safeguards to detect and quarantine these unsigned or compromised components.