TrustConnect RAT
RAT⚠️ Overview
TrustConnect RAT is a commodity remote access trojan first documented in September 2023 by researchers at Zscaler ThreatLabz, attributed to a low‑sophistication threat actor possibly operating out of Eastern Europe. It falls under the RAT category, designed for covert surveillance and remote control of infected Windows systems, with no ransomware or stealer payloads reported as of early 2025.
🔧 Technical Capabilities
The RAT uses a custom binary protocol over TCP port 443 to communicate with its command‑and‑control (C2) server, embedding encrypted configuration data in the initial handshake. Propagation occurs via spear‑phishing emails containing weaponized Microsoft Office documents that drop a VBScript loader; the loader then downloads the main payload from a remote URL. Persistence is achieved via a scheduled task named “TrustConnectUpdate” and a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking of ntdll.dll and dynamic resolution of Windows API calls to bypass user‑mode hooks; it also performs environmental checks for sandbox artifacts such as small disk sizes or the presence of analysis tools like Wireshark. The RAT can enumerate running processes, capture keystrokes, take screenshots, and upload arbitrary files from the victim’s machine, with all exfiltrated data compressed using zlib before being sent over the C2 channel.
📜 History & Notable Incidents
First observed in active campaigns targeting logistics firms in Poland during October 2023, the malware was linked to a phishing wave using invoice‑themed lures. No major CVEs have been directly associated with TrustConnect RAT itself, but it has been used in combination with CVE‑2023‑38831 (WinRAR vulnerability) for initial access in at least one incident reported by Trend Micro in November 2023. Law enforcement has taken no public action against the malware’s operators as of early 2025.
🔍 Detection Indicators
Known file hashes for the main payload include SHA‑256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (reported by Zscaler) and MD5 e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7. Network indicators include connections to IP addresses in the 185.225.19.x range and the User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36” used during the initial C2 handshake. Behavioral signatures include the creation of the scheduled task “TrustConnectUpdate” and the registry key “TrustConnectRAT” under the Run path.
☠️ Risk & Impact
The primary risk is data exfiltration, including credentials, internal documents, and email contents, leading to intellectual property theft. Affected sectors include logistics, manufacturing, and small‑to‑medium businesses; no high‑profile government or critical infrastructure victims have been publicly identified. Financial losses are estimated to be limited, as the RAT is not a broad‑scale threat and has not been linked to ransomware deployment.
🛡️ Mitigation
Defenders should block the IP ranges 185.225.19.0/24 at network perimeter, enforce application whitelisting for Office macro execution, and deploy detection rules for the scheduled task “TrustConnectUpdate” and registry key “TrustConnectRAT”. EDR solutions such as Microsoft Defender for Endpoint and CrowdStrike Falcon have published behavioral detections under the signature “Trojan:Win32/TrustConnectRAT”.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.