Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors

A newly uncovered phishing campaign is actively targeting enterprise users by disguising malware as widely used workplace applications, including Microsoft Teams, Zoom, and Adobe Acrobat Reader.

What makes this threat stand out is that the malicious files carry legitimate-looking digital signatures, making them harder for everyday users and even basic security tools to flag.

The campaign first surfaced in February 2026, when multiple phishing waves began hitting organizations with emails built around meeting invitations, financial documents, invoices, and routine workplace notices.

Each message was crafted to convince the recipient to download what looked like a familiar software update or a standard application installer.

The malicious files carried names such as msteams.exe, zoomworkspace.clientsetup.exe, adobereader.exe, trustconnectagent.exe, and invite.exe — all chosen to mirror real and trusted applications.

Every one of them was digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD, which the threat actor abused to make the files appear legitimate to unsuspecting victims.

Microsoft Defender Experts identified these campaigns through Defender telemetry and confirmed a deliberate, multi-vector effort by an unknown threat actor.

Researchers noted that the attacker leaned on brand recognition as the core weapon — when a file carries a valid digital signature and looks like a known app, most users do not question it.

Once executed, the signed malware silently deployed remote monitoring and management (RMM) tools, specifically ScreenConnect, Tactical RMM, and Mesh Agent, giving the attacker persistent and stealthy control over the compromised machine.

The reach of this campaign goes well beyond a single infected device. With RMM tools running in the background, the attacker could remotely control the system, move laterally across the network, harvest sensitive data, and push additional payloads — all without generating the alerts that would normally warn the victim or the security team.

Since these are legitimate software platforms repurposed for malicious ends, detection tools relying on signature-based scanning often let them pass.

The combination of phishing lures, familiar brand names, valid certificates, and trusted RMM frameworks made this campaign very hard to stop at the point of initial entry.

How the Malware Installs and Stays Hidden

Once a victim ran one of the masqueraded applications, the malware followed a deliberate series of steps to entrench itself in the operating system.

The executable first created a secondary copy under C:Program Files, making it look like a properly installed program rather than a file dropped from a browser.

It then registered that copy as a Windows service, ensuring the backdoor would start automatically on every system reboot.

As an additional persistence measure, a registry Run key was written at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun under the value name TrustConnectAgent, pointing directly to the disguised executable.

The malware then opened an outbound connection to the attacker-controlled command and control (C2) domain trustconnectsoftware[.]com.

Encoded PowerShell commands pulled ScreenConnect client installer files (.msi) into the system’s temporary folder, and the Windows msiexec.exe utility executed them silently.

This embedded multiple registry entries under HKLMSYSTEMControlSet001ServicesScreenConnect Client, hardwiring the backdoor into the operating system to survive restarts and maintain continuous access.

To reinforce its hold on the environment, the threat actor used the same PowerShell pipeline to deploy Tactical RMM, which in turn installed MeshAgent as a third remote access channel.

This layered approach was calculated — if one backdoor is detected and removed, the others keep running without interruption.

Organizations should block unapproved RMM tools using Windows Defender Application Control or AppLocker. Multifactor authentication must be enforced on all approved RMM systems.

Safe Links, Safe Attachments, and Zero-hour Auto Purge should be enabled to intercept malicious emails before users interact with them. Cloud-delivered protection should remain active on endpoint antivirus to catch new malware variants quickly.

Attack surface reduction rules targeting untrusted executables and PsExec or WMI-based process creation should be deployed across all endpoints.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors appeared first on Cyber Security News.