Be sure to catch Daniel's presentation, "Welcome to the Endgame," alongside co-presenter @europol.europa.eu
during #RSAC 2026.
ποΈ Wednesday, March 25
π£ 8:30 a.m. - 9:20 a.m.
βοΈ Session code FRP-W01
Tycoon 2FA is just one example of how our insight into society's biggest threats has led to the takedown of major cybercriminal operations.
Another example is #OperationEndgame (brnw.ch/21x0s7A). #RSAC attendees can catch our keynote presentation on it later this month.
Proofpoint was proud to assist in the law enforcement and private sector investigations into #Tycoon2FA activity and supported Microsoftβs action with data, including malicious domains and info related to Tycoon 2FA campaigns.
See our blog for details. brnw.ch/21x0s76
As the human-centric security partner for millions of organizations, Proofpoint has unmatched visibility into the advanced threat landscape.
When appropriate, we extend our mission beyond protecting customers to also safeguarding the broader community against widespread malware.
Campaigns are typically opportunistic and target a broad range of organizations and industries.
According to Microsoft, Tycoon 2FA enabled cybercriminals to access almost 100,000 organizations, including schools, hospitals, non-profits, and public institutions.
Tycoon 2FA is the highest volume adversary-in-the-middle (#AiTM) #phishing threat observed in our email data.
Successful infections can lead to the theft of private data, including financial info, PII, and proprietary business info, as well as full account takeover and access.
The Tycoon 2FA disruption and the associated lawsuit filed by Microsoft will have a significant impact on Tycoon 2FA, related infrastructure, and threat actor activity.
Here are some key points to know. ‡οΈ
Tycoon 2FA splash page.
The popular phishing-as-a-service (PhaaS) platform used by threat actors, #Tycoon2FA, has been disrupted by law enforcement and private sector partners, including @microsoft.com, Europol, Proofpoint, @cloudflare.social, and TrendAI.
Details in our blog: brnw.ch/21x0s76
On this episode of Discarded, our team explores how #artificialintelligence is shaping modern #malware analysis and detection workflows.
Listen now on your favorite #podcast platform, and you'll get a balanced view of AI's growing impact on cybersecurity.
ποΈ: www.proofpoint.com/us/podcasts/...
See our blog for full details on #TrustConnect and the campaigns distributing it.
While its disruption is effective and will impose cost on adversaries, threat actors will always be looking for ways to pivot and compromise victims.
Campaigns and usage observed suggest that this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns.
TrustConnect provides templates for many kinds of brand abuse, which enables threat actors to use a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes.
The website also serves as the portal for cybercriminals to sign up for the service. They can register for a free trial, pay in cryptocurrency, and verify the payment all in the TrustConnect portal.
TrustConnect βbusiness websiteβ.
The malware domain was designed to convince the public (including certificate providers) that the software is a legitimate RMM, providing fake details like customer statistics and software documentation.
We suspect the actor used an LLM to create the site.
Initially, TrustConnect appeared to be another legitimate RMM being abused.
But investigation showed that TrustConnect is actually a new malware-as-a-service (MaaS) classified as a remote access trojan (RAT).
Proofpoint threat researchers identified a new malware-as-a-service named #TrustConnect.
Notably, it masquerades as a legitimate remote monitoring and management tool, marking an evolution in how attackers weaponize trust around enterprise tooling.
See our blog for details: brnw.ch/21x05Vh.
Wednesday, February 25th, Proofpoint's threat research experts will be live on Intercepted, answering your burning cyber threat questions and responding to your hottest takes. π¬
Register and join live: brnw.ch/21x03VM
Stream last month's session: brnw.ch/21x03VL
Proofpoint recommends organizations:
β’ Train users to identify & report suspicious activity
β’ Restrict the download/installation of any unapproved RMM tooling
β’ Ensure networks detections alert on any activity to RMM servers
More on campaigns using RMM: brnw.ch/21wZGPO
Cybercriminals will always attempt to capitalize on current events, and Valentineβs Day is no exception. Such lures are designed to appear as legitimate emails from trusted sources, increasing the likelihood that a target clicks or engages. π
The example above, which was observed and blocked by our team, leveraged legitimate remote monitoring and management (RMM) as a first-stage payload. RMM attacks can result in data collection, financial theft, lateral movement, and the installation of follow-on malware, including ransomware.
An email message that contains URLs leading to an executable file which, if executed, installs Datto RMM.
This Valentineβs Day invite came with a payload no one asked for. π
β οΈ As February 14th nears, Proofpoint researchers ask users to beware of malicious Valentineβs Day-themed lures and threats.
The screenshot below is of an actual lure recently sent from a compromised account.
This campaign shows how cybercrime actors can work with a robust RMM arsenal, deploying tools for specific functions within the attack chain. It also shows the actorβs expanding playbook.
Defensive recommendations and IOCs are available in the report: blog.deception.pro/blog/hok-int...
1/18-25: MSP360 backup and Connect agents installed, enumeration via Level RMM using osquery and PowerShell
1/2: End of observed activity
The actorβs activity could lead to information gathering, data theft, financial theft, or deployment of additional payloads.
In the Deception.Pro environment, which replicated a French luxury travel tour operatorβs enterprise network, researchers observed:
1/14: BlueTrait installed
1/15: Fleetdeck RMM deployed via PowerShell
The January 2026 campaign began with a French-language email impersonating an airline and included a PDF with a URL leading to an MSI installer. If executed, it installed Bluetrait.
The threat actor abused multiple RMMs at the same time. While previous reporting tied this threat actor to Bluetrait and Fleetdeck, this operation expanded the toolset to include Level RMM & MSP360βa meaningful evolution in tradecraft.
Prior reporting: www.proofpoint.com/us/blog/thre....
Remote Monitoring & Management (RMM) tooling is taking over the cybercrime landscape. And it keeps growing.
Alongside Deception.Pro, we observed follow-on activity from a Bluetrait campaign in an environment built to resemble a travel firm. Result? Even more RMMs. blog.deception.pro/blog/hok-int...
Example payload URL: hxxps://www[.]gioexports[.]com/webfonts/"bank"_"name"_statement_09_2025[.]rar
This was a notable shift in TA4561 behaviors, which in recent months also demonstrated new TTPs, including delivering NetSupport and leveraging ClickFix in attack chains.
This shows the agile nature of more sophisticated ecrime threats.
The email contained a URL linking to a landing page with a verification and CAPTCHA.
If the CAPTCHA was solved, a RAR archive download was initiated, exploiting CVE-2025-8088.
