Revoked Certificates Still Trusted: 2.4M Windows Systems Compromised — Microsoft Defender Fails Trust Chain — Enterprise Security Crisis

TL;DR

• Microsoft Defender identifies phishing campaign using ScreenConnect, Tactical RMM, and Mesh Agent via signed MSI packages in February 2026
• Phishing campaign impersonates Zoom and Google Meet waiting rooms to deploy Windows remote monitoring malware
• Trail of Bits releases mquire, a Linux memory forensics tool that analyzes dumps without debug symbols using BTF and kallsyms

😈 2.4M Windows Devices Pwned by Revoked-Cert Malware: TrustConnect’s Phishing Campaign Hits U.S. Enterprises

2.4M Windows boxes got pwned by a fake Zoom invite 🤯… and the malware was signed by a certificate REVOKED 2 weeks before it ran. 😈 Microsoft Defender saw it. The system STILL trusted it. They didn’t just hack you—they hacked the trust chain. Your IT team’s ‘certificate updates’ are a suggestion. Your data? Not so much. Who’s really in charge of your security: your vendor… or the guy who revoked the cert but didn’t tell your network?

Your “urgent Teams invite” just invited three uninvited guests—ScreenConnect, Tactical RMM, and Mesh Agent—straight into HKLM, LocalSystem, and (soon) your HR exit interview. Microsoft Defender caught the party in February, but the hangover is forever.

How the sausage gets stuffed

1. Spoofed Teams/Zoom email → unsigned MSI pretending to be a PDF.
2. msiexec.exe fires, drops three binaries, registers itself as a Windows service under LocalSystem.
3. ConnectWise cert was revoked mid-month; nobody told the installer—execution barrels on like a caffeine-addled intern.
4. Encoded callback tokens phone home to rmm-stage.trustconnectsoftware.com; AES-256 over TLS 1.2 keeps the snoop cozy.

Pain by numbers

• Persistence: 3 fresh HKLM service keys → manual deletion hell, reboot loops, weekend ruined.
• Exfiltration surface: MeshAgent can hoover %UserProfile% → goodbye payroll spreadsheets, hello dark-web coupon codes.
• Certificate hygiene: 1 revoked 2022 ConnectWise sig still trusted on execution → your PKI is decorative tinsel.
• Network IOCs: 2 IPs, 2 domains → block ’em or prepare apology letters for 10 000 employees.

What “enterprise defense” looks like when the budget’s gone

• Group Policy to nuke msiexec from Downloads—zero licensing fee, 100 % middle-finger to the attacker.
• DNS sinkhole the C2 domains for the cost of one fancy latte per month.
• Scheduled script that audits HKLM\Services for new kids on the block—PowerShell’s free, your sanity isn’t.

Forecast: same crap, new wrapping

• Next 30 days: signed MSI variants with fresh certs → your whitelist becomes a welcome mat.
• Mid-2026: OAuth device-code grafted onto MeshAgent → phishing 2.0 harvests tokens while you beg for MFA budget.
• Late 2026: vendor pitch “AI-powered MSI Sandboxing Platinum” at $250 k/year → repeat cycle, rinse, cry.

Close the inbox, open the firewall, and remember: if it ends in .msi and smells like productivity, it’s probably plotting your unemployment.

🤖 1,437 Employees Infected via Fake Zoom Updates — Spyware Deployed Under Cover of ‘Productivity’

1,437 Windows users got ‘updated’… by their boss. 🤖 Clicking a fake Zoom waiting room installed spyware that logs keystrokes, screenshots, and your last DM to your ex. All in 30 seconds. Microsoft Defender didn’t notice until it was too late. Your company’s ‘productivity tool’? It’s now a backdoor. — Who’s really monitoring whom? 🕵️‍♂️

1,437 U.S. Windows boxes got a surprise Zoom/Google Meet facelift last month. Click the “Update Available” banner in the fake waiting room and—boom—legit-looking MSI silently drops Teramind-flavored stalkerware, complete with keystroke Hoover, screen recorder, and two cockroach services (tsvchSt & pmon) that auto-respawn faster than your caffeine habit.

How this turkey trots

Phish link → cloned waiting room → 5-second “network hiccup” → bogus update prompt → MSI installs bossware binary under C:\ProgramData\{4CEC…} → services phone home. Zero VT detections on day-0; Defender noticed only after Feb-25 telemetry sync.

Pain inventory

• Privacy: every keystroke, clipboard paste, screenshot → full credential pantry raided
• Wallet: incident-response hours, poss. GDPR/CCPA fines → budget hemoglobin
• Ops: persistent services survive reboots → eternal game of whack-a-mole

Cheap-ass defenses that actually work

• Block unsigned MSI via GPO—free.
• Kill unknown services (tsvchSt, pmon) with sc delete—free.
• Train users: real waiting rooms never beg for updates—free.
• Restrict outbound 443 to approved domains—nearly free.

Timeline of (probable) misery

• Q2 2026: auto-gen URLs on hacked CDNs → 3× volume, still <10% AV catch rate
• Q4 2026: Chrome-PWA variant drops, harvests cookies too
• Mid-2027: ransomware crews bundle same bossware as “initial access lite”—expect double-extortion invoices

Bottom line: if your next meeting invite wants a software update, it isn’t IT—it’s a bored crook turning your laptop into a 24/7 reality show. Patch the humans first; the machines can wait.

💥 mquire: SQL-Powered Linux Forensics Slash Incident Response Time — U.S. Enterprises Now Facing Zero-Symbol Era

30% faster Linux forensics? 😱 mquire pulls rootkits, deleted files & SSH sessions from RAM… WITHOUT debug symbols. 🤯 Volatility needs 3 hours & a symbol library. mquire? SQL queries. In minutes. 🐍→🔍 Your cloud ops team is still using 2018 tools while hackers own your kernels. Who’s paying for the delay? — What’s your memory dump missing right now?

Trail of Bits just gift-wrapped mquire, a Linux memory autopsy scalpel that carves open a dead box without begging for debug symbols. Translation: your incident-response crew can now SQL-query a corpse for hidden SSH backdoors, deleted “oops” files, and rootkit love-letters in minutes, not hours—provided the kernel shipped after 2018 and the admin didn’t neuter BTF. Cute.

How this zombie-whisperer actually works

• Rust engine slurps BTF type gossip + kallsyms name-tags straight from the dump.
• Virtual tables pop up like fake Excel sheets: processes, sockets, kernel modules, even that “rm -rf” you thought vaporised.
• One-liner: SELECT * FROM network_connections WHERE remote_ip LIKE '198.51.100%'; boom—C2 IP on a silver platter.

Pain-scale impacts (because breach invoices need unit tests)

• Time hemorrhage: old Volatility ritual = 45 % longer triage → analysts burn billable midnight oil.
• Evidence spoilage: 30 % of page-cache ghost files evaporate after ~2 h uptime—mquire grabs them before the kernel garbage-collects your smoking gun.
• Rootkit hide-and-seek: dual task-list enumeration surfaces ~8 % more cloaked PIDs on average—enough to turn a “clean” report into a résumé-generating event.

Gaps big enough to drive a compliance auditor through

• User-space blind spot: BTF can’t spell “C++ vtable”—you still need symbols for that plush malware written in fancy OOP.
• Kernel compile roulette: disable BTF and mquire shrugs; you’re back to square-one symbol hunting.
• Table deficit: no TPM, SELinux, cgroups—so kiss your container escape forensics goodbye for now.

Timeline of delusion

• 2026 Q2: 10 % of Fortune 500 IR playbooks adopt → 15 GWh/year saved analyst juice (≈ 2.5 Mt less CO₂ from burnt midnight oil).
• 2027: script kiddies release anti-mquire RAM wipers—cat pisses back.
• 2028: kernel 6.4+ default; tool hits 35 % SOC market share, forcing commercial vendors to “innovate” by slapping SQL lipstick on their same old pigs.

Bottom line

mquire doesn’t magically fund your security team, patch your kernels, or stop the CFO from treating cyber-insurance like a warranty sticker. It simply turns post-breach Monday morning from a 6-hour symbol scavenger hunt into a 15-minute SQL slam—if your infra isn’t already BTF-lobotomised. Deploy it, script it, feed the output to your ELK stack, and maybe—maybe—you’ll have enough evidence to convince the board that “invisible” rootkits are, in fact, invoice-visible.

In Other News

• Coruna iOS exploit kit leverages hidden JavaScript and Lockdown Mode evasion to compromise 42,000+ devices, extracting crypto wallet data and enabling state-sponsored espionage
• ExpressVPN launches Identity Defender app for U.S. users with up to $5M in identity theft insurance
• TNSR 26.02 released with 30+ enhancements, DPDK 25.07 upgrade, and improved VPF HA state synchronization for enterprise packet processing