Tommy Madjar's Avatar

Tommy Madjar

@ffforward

Threat Researcher @ Proofpoint. Opinions are my own etc

430
Followers 64
Following 6
Posts 16.11.2024
Joined
Posts Following

Latest posts by Tommy Madjar @ffforward

Preview
(Don't) TrustConnect: It's a RAT in an RMM hat | Proofpoint US Key findings  Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect.

Proofpoint threat researchers identified a new malware-as-a-service named #TrustConnect.

Notably, it masquerades as a legitimate remote monitoring and management tool, marking an evolution in how attackers weaponize trust around enterprise tooling.

See our blog for details: brnw.ch/21x05Vh.

19.02.2026 17:20 👍 4 🔁 3 💬 1 📌 0
Post image

Would you run AdobeReader.exe from a days-old company called "TrustConnect Software PTY LTD" because they managed to purchase an Extended Validation certificate?
Blog w. @selenalarson.bsky.social and @proofpoint.com @threatinsight.proofpoint.com team out now!
www.proofpoint.com/us/blog/thre...

19.02.2026 13:30 👍 1 🔁 0 💬 0 📌 0
Post image

Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.

Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.

20.10.2025 21:31 👍 2 🔁 2 💬 1 📌 0

New ecrime insights:

TA4557, known for distributing More_eggs malware, notably expanded to an international audience in recent campaigns.

Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.

16.06.2025 15:08 👍 2 🔁 2 💬 1 📌 0

There is however at least two separate current malvertising/SEO campaigns, one leading to Bumblebee and one leading to SMOKEDHAM/Thundershell, but it's not from the official website.
2/2

19.05.2025 15:47 👍 0 🔁 0 💬 0 📌 0
Post image

This article that starts getting traction claims that the official RVTools website was distributing a malicious installer leading to Bumblebee. I see zero evidence of this actually being the case.
1/2

19.05.2025 15:47 👍 1 🔁 1 💬 1 📌 0

Proofpoint also recently observed this activity delivering GootLoader. Google Ads for a fake document creation app (lawliner[.]com) led to a malicious document creation website, on which users are directed to enter their email address.

31.03.2025 16:43 👍 4 🔁 2 💬 1 📌 0

Great research on that #GootLoader is now including email in their delivery chain. Please don't download NDAs and other contract templates from free sites without any history.

31.03.2025 14:42 👍 1 🔁 0 💬 0 📌 0
Post image

New blog drop with @selenalarson.bsky.social and the rest of the team. This one covers a lot of threats using the #ClickFix technique to lure targets to infect themselves by pasting malicious CMD/PS code. My "fave" is the chumbox #malvertising on major tech sites.
www.proofpoint.com/us/blog/thre...

18.11.2024 12:44 👍 10 🔁 4 💬 0 📌 1

Well I guess it's time to try this platform too 😅

16.11.2024 13:53 👍 3 🔁 0 💬 1 📌 0