A wolf in admin clothing. [Research Saturday]

This episode of CyberWire Daily's Research Saturday dives into a sophisticated cyber deception campaign dubbed 'Don't Trust Connect: It's a RAT in an RMM Hat.' Threat researcher Selena Larson from Proofpoint details how attackers used AI-generated websites and a legitimate Extended Validation (EV) SSL certificate to masquerade as a legitimate Remote Monitoring and Management (RMM) tool called Trust Connect. The malware, disguised as a trusted RMM, was delivered via phishing emails using common lures like fake party invitations and Social Security Administration notices. Once installed, it functioned as a remote access Trojan (RAT), enabling data theft, lateral movement, and additional malware deployment. Despite the polished front-end, the underlying web development was poorly secured, exposing vulnerabilities that allowed researchers to uncover the scam. The campaign appears linked to the Redline Stealer ecosystem, with the operator using the Telegram handle Zaki09—previously identified as a VIP customer in a major law enforcement takedown. The attackers quickly pivoted after their certificate was revoked, demonstrating a resilient, service-oriented malware operation. The episode underscores that while AI enhances the authenticity of phishing materials, it doesn't replace foundational technical skill—making poor security practices a critical weakness.