EV-Signed Phishing Installers Drop ScreenConnect

Introduction: why this matters

Threat actors are increasingly blending in with legitimate IT operations by deploying commercially available Remote Monitoring and Management (RMM) tools. This campaign raises the bar further by using familiar “workplace app” branding and EV code signing to reduce user suspicion and improve execution rates—making it a practical initial access path in enterprises where users routinely install meeting and document software.

What’s new / key findings

Microsoft Defender Experts observed multiple phishing campaigns attributed to an unidentified threat actor. Key characteristics include:

• Meeting and document lures: Emails masqueraded as meeting invitations (Teams/Zoom/Google Meet), invoices, financial documents, bids, and organizational notifications.
• Counterfeit PDFs and spoofed download pages: Some messages delivered fake PDFs with an “Open in Adobe” button that redirected users to a lookalike Adobe download site prompting an “update.”
• Masquerading executables: Payloads were named to resemble trusted installers, including msteams.exe, adobereader.exe, zoomworkspace.clientsetup.exe, invite.exe, and trustconnectagent.exe.
• Abuse of trust via EV signing: The droppers were digitally signed with an EV certificate issued to TrustConnect Software PTY LTD, helping them appear legitimate.
• RMM backdoor deployment: Execution led to installation of RMM tools such as ScreenConnect, Tactical RMM, and Mesh Agent, enabling persistent remote access.

How the intrusion establishes persistence (technical highlights)

In the ScreenConnect-focused chain, the “workspace” executable:

• Copied itself into C:\Program Files to look like a legitimate installed application.
• Registered itself as a Windows service for startup persistence.
• Created an additional autorun via Run key:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Value name: TrustConnectAgent
  • Target: C:\Program Files\Adobe Acrobat Reader\AdobeReader.exe
• Connected outbound to attacker infrastructure (notably trustconnectsoftware[.]com).
• Used encoded PowerShell to download additional payloads and invoked msiexec.exe to install ScreenConnect from staged MSI files.

Microsoft noted cases where the MSI appeared unsigned, followed by ScreenConnect binaries signed with revoked certificates, a pattern commonly associated with malicious or unauthorized deployment.

Impact on IT administrators and end users

• Users are targeted through routine workflows: joining meetings, reviewing invoices, and updating “out-of-date” apps.
• IT and security teams may see attacker activity blend into normal admin tooling because RMM agents can resemble sanctioned remote support.
• Risk increases post-compromise: persistence via services/autoruns plus RMM tooling can accelerate credential access, remote control, and lateral movement.

Action items / next steps

• Harden software installation paths: restrict user-driven installs where feasible; enforce allowlisting (e.g., WDAC/App Control) for “installer-like” executables.
• Audit RMM usage: inventory approved RMM tools and block or alert on unauthorized agents (ScreenConnect/Tactical RMM/Mesh) and suspicious service creation.
• Review code-signing trust decisions: treat “signed” as a signal—not proof. Add detection logic for new/rare publishers and unusual EV-signed binaries.
• Hunt for persistence indicators: look for the TrustConnectAgent Run key, unexpected services, and suspicious msiexec.exe plus encoded PowerShell patterns.
• Strengthen phishing resilience: reinforce user guidance around “update required” prompts from email/PDFs and use Defender protections to detonate/inspect attachments and links.