Hackers Abused Legit Certificates to Sneak Into Work PCs

Microsoft Defender Experts uncovered a phishing operation that targets enterprises by posing as a routine work activity. We saw recently that OAuth was abused for phishing attacks, and now hackers have shifted to abusing legitimate certificates to gain access to your PC.

Victims receive emails that resemble meeting invites, PDFs, or familiar download prompts, and the links claim to update apps like Microsoft Teams, Zoom, Google Meet, or Adobe Reader. When a user clicks, the download arrives as a fake installer that disguises malware as a legitimate update.

A real EV certificate, obtained through a fake company

The campaign relies on digitally signed malicious files, which gives them a layer of trust at a glance. The malware carried an abused Extended Validation (EV) certificate issued to a company called TrustConnect Software PTY LTD, and EV certificates tend to benefit from stricter identity checks and stronger reputation signals.

Investigators concluded the attackers did not steal the certificate because they instead created a fake company identity, built a convincing AI-generated website, and then legitimately purchased the EV certificate to sign their payloads.

Persistence on Windows, then remote access via legitimate RMM tools

After execution, the malware establishes persistence inside Windows by placing itself in Program Files, registering as a Windows service, and adding a Run registry key. It then launches encoded PowerShell to install legitimate Remote Monitoring and Management tools, including ScreenConnect, Tactical RMM, and Mesh Agent.

Those tools often appear in real corporate environments, so the attacker activity can blend into normal IT traffic patterns, and the operators often install multiple RMM agents so they keep access if defenders remove one.

MaaS monetization and why revocation didn’t fully solve it

Researchers say the actors shifted the operation into Malware-as-a-Service and rent out signed malware plus supporting infrastructure for about $300 per month in cryptocurrency. Proofpoint and The Cert Graveyard worked to get the EV certificate revoked on February 6, but the revocation did not backdate, so malware already signed with that certificate can still look valid to Windows even after the revocation event.

DocConnect appears as the next evolution

The attackers have begun testing a newer variant called DocConnect, which reportedly includes improved control panels, better real-time communication, and fake Windows Update screens designed to push victims into trusting the flow.

Researchers warn the campaign remains active, and they urge organizations to treat unexpected download prompts and “update” links as high-risk, even when the files look properly signed.

Microsoft has unveiled a new Defender Deployment onboarding experience, and researchers also spotted a phishing campaign impersonating Google’s security website.

Via Neowin