Signed malware impersonating workplace apps deploys RMM backdoors

In February 2026 Microsoft Defender identified coordinated phishing campaigns that used familiar lures and EV-signed binaries (issued to TrustConnect Software PTY LTD) to install remote monitoring and management (RMM) backdoors—notably ScreenConnect, Tactical RMM, and MeshAgent—enabling persistent, covert remote access; the report provides detailed TTPs, registry/service persistence artifacts, IoCs (hashes, URLs, domains, IPs), and defensive/hunting guidance for Microsoft Defender XDR and Sentinel customers.