TRUMP Coin Phish Delivers ScreenConnect RAT: Underwriting View
Binance-impersonating campaign drops ConnectWise ScreenConnect as a RAT, a textbook ransomware precursor with $5.13M average claim cost.
A Familiar RAT in a New Wrapper: Why the “TRUMP Coin” Campaign Matters to Insurers
On 11 March 2025, threat intelligence analysts published a report on an email campaign that impersonated Binance, the world’s largest cryptocurrency exchange by trading volume, and offered recipients a chance to claim a fictitious “TRUMP” coin. The lure, wrapped in political and financial opportunism, delivered a malicious installer branded “Binance Desktop” that, when executed, deployed ConnectWise ScreenConnect as a remote access trojan (RAT). The campaign is not a curiosity. It is a textbook example of how commodity initial access tooling is being repackaged for the most current social narrative, and it lands squarely inside the loss profile that cyber insurers are now underwriting for.
For underwriters and brokers, the technical specifics matter less than the pattern. RATs are a leading precursor to ransomware claims. The 2024 IBM Cost of a Data Breach report placed the average cost of a breach at USD 4.88 million, a 10% increase year over year, and ransomware remained the costliest incident type, averaging USD 5.13 million per event. Many of those ransomware chains began with exactly this kind of remote access foothold. Reading this campaign as a claim scenario, rather than a piece of malware trivia, is the right starting point.
What the Campaign Actually Does
The phishing email claims to offer TRUMP-branded cryptocurrency tokens, timed to capitalise on market speculation around politically themed digital assets. The message directs the recipient to download a desktop client, “Binance Desktop,” from a lookalike domain. Once installed, the binary drops ConnectWise ScreenConnect, a legitimate remote support and managed services tool, configured in unattended mode and pointed at attacker-controlled infrastructure.
The attacker inherits the full ScreenConnect feature set: live screen control, file transfer, command execution, credential harvesting from browsers and Windows credential stores, and persistence via installed services. From the victim’s endpoint, the activity looks like a legitimate MSP connection, which is precisely why this attack pattern is so effective. Defensive tools that whitelisted ScreenConnect for business use now provide cover for the adversary.
This is not a vulnerability exploit in the traditional sense. The campaign relies on user action and on a signed, legitimate binary. It bypasses many signature-based detections. The relevant ConnectWise ScreenConnect CVE chain from 2024, particularly CVE-2024-1709 (authentication bypass) and CVE-2024-1708 (path traversal), showed that adversaries were already comfortable with the product surface, and ScreenConnect’s customer base of more than one million endpoints makes it a high-value target for both offensive use and abuse.
Why the Insurance Industry Should Pay Attention
Three converging trends make this report a useful underwriting signal, not just a SOC bulletin.
First, the campaign exploits the gap between legitimate remote access tooling and malicious use. ScreenConnect, AnyDesk, TeamViewer, and similar products appear in nearly every managed environment. Insurers who underwrite based on a binary trust model, where a signed application equals a safe application, are already losing accuracy. A more useful underwriting question is whether the insured has application allowlisting, EDR visibility on remote access tools, and a process for monitoring unattended sessions.
Second, social engineering lures tied to current events produce above-baseline click rates. Industry telemetry from providers such as Proofpoint has consistently shown that financial, political, and cryptocurrency-themed lures outperform generic phishing templates. The Verizon 2024 Data Breach Investigations Report attributes 68% of breaches to a non-malicious human element, meaning an employee doing something they believed was reasonable. The TRUMP coin theme is engineered to be reasonable: it is a plausible product from a plausible exchange during a plausible news cycle.
Third, RATs function as initial access brokers’ inventory. A single ScreenConnect install can be sold, rented, or used directly to stage ransomware, business email compromise, or data exfiltration. The chain from phishing email to material claim can be as short as 24 to 72 hours. For claims frequency modelling, this is a high-velocity loss vector.
Translating the Technical into Policy Language
For brokers and underwriters reviewing this campaign, three technical points carry direct policy weight.
The initial vector is a malicious download executed by a user. This sits on the boundary between first-party crime coverage and traditional cyber coverage. Social engineering exclusions, dual-factor authentication sublimits, and computer fraud fund definitions all become relevant. Policies that rely on the user being deceived into initiating a wire transfer or sharing credentials may treat this differently from a policy that covers unauthorised system access. The TRUMP coin scenario is a remote access event, not a funds transfer event, but it creates the conditions for both.
The persistence mechanism is a legitimate, signed remote access tool. Detection-and-response controls that do not inventory legitimate RMM software, including ScreenConnect, AnyDesk, ConnectWise Automate, and Atera, are blind to this campaign. Underwriting questionnaires that ask only about antivirus presence, rather than EDR coverage and RMM monitoring, are underweighting this risk.
The data exposure potential is broad. A RAT with attended access permits keystroke logging, browser credential extraction, file system browsing, and clipboard capture. For policyholders in financial services, legal, healthcare, or government contracting, this is a regulated data event waiting to happen. Notification costs, regulatory fines, and third-party liability flow directly from the foothold the RAT provides.
Coverage and Underwriting Implications
For carriers, this campaign is a prompt to revisit three areas of policy construction and risk selection.
On coverage, brokers should review the interaction between social engineering sublimits, computer fraud coverage, and full policy limits. A TRUMP coin phishing email that yields a RAT is not strictly a social engineering loss in the fund-transfer sense, but the same chain of intent is present. Carriers that have narrowed social engineering to “voluntary transfer of funds” should be asked how they treat voluntary installation of remote access software. The answer affects the policyholder’s recovery in a material way.
On underwriting, the relevant signals are not new, but the case for them is reinforced. Underwriters should weight:
- Endpoint visibility. Is EDR deployed across the environment, and does it alert on the use of remote access tools, particularly when invoked outside change windows or business hours?
- Email authentication. Are DMARC, DKIM, and SPF configured to a policy of quarantine or reject? Domain spoofing remains a primary enabler of impersonation campaigns like this one.
- Application control. Is there allowlisting or controlled execution for remote management tools, and are unauthorised installations blocked by default?
- User training. Does phishing simulation include current-event lures, and is reporting rate being measured rather than just click rate?
- Third-party and brand monitoring. Does the insured have visibility into lookalike domains targeting their brand, customers, and executives?
For brokers building account narratives, this report is a concrete artefact to attach to recommendations. A single, dated threat intelligence report tied to a named adversary pattern carries more weight in a renewal conversation than a generic security awareness slide deck.
For CISOs, the practical action list is short and well-known, which is part of the frustration. Layered email filtering, DNS sinkholing for known malicious infrastructure, application allowlisting for RMM tools, EDR with remote access tool telemetry, and phishing-resistant MFA on all mail and VPN access points. Adding to a documented risk register the specific scenario of “commodity RAT delivered via brand-impersonating crypto lure” gives security and risk teams a shared artefact to prioritise against.
Recommendations for Insurers, Brokers, and Risk Teams
For underwriters: Treat commodity RAT campaigns as a frequency event, not a curiosity. Adjust loss frequency assumptions to reflect that 2024 and 2025 campaigns continue to favour signed remote access tools over custom malware. Update underwriting questionnaires to ask specifically about RMM inventory, EDR coverage of remote access processes, and DMARC enforcement. Consider premium credits or copay adjustments tied to these controls rather than to broader “next-generation” endpoint claims.
For brokers: Use this report in renewal discussions. The narrative is simple and current: a named threat actor is using a politically themed cryptocurrency lure to deliver a remote access trojan that has been used in prior major incidents, and the policyholder’s controls are the determining factor in whether a claim materialises. Tie the recommendation to specific policy terms, including social engineering sublimits, RMM exclusions if any, and incident response retainer coverage.
For CISOs and security leaders: Map the campaign to your environment in a single page. Identify the RMM tools in use, confirm they are managed and inventoried, and validate that EDR rules fire on unexpected invocations. Run a tabletop exercise in which a single employee installs a “Binance Desktop” client and the response team has 48 hours to contain, eradicate, and recover. Measure the time and report against the SLA in your cyber insurance policy. If the numbers do not match, the gap is the conversation to have with your broker.
For risk engineers performing pre-bind or post-bind assessments: Add a control test for unauthorised RMM persistence. A simple PowerShell query across the estate to enumerate installed remote access services, cross-referenced against an approved vendor list, will surface both shadow IT and adversary footholds. Document the result and tie it to the control language in the policy.
The Takeaway
This report is a useful artefact precisely because it is ordinary. A phishing email, a lookalike domain, a signed legitimate tool, and a remote access foothold. There is no novel exploit, no zero-day, and no nation-state attribution required to model the loss. The pattern is repeatable, the controls that mitigate it are well understood, and the gap between policyholder practice and insurer expectation is wide enough to drive both claims and disputes.
For the insurance market, the conclusion is straightforward. Underwrite against the pattern, not the payload. Underwriters who price for the presence of EDR coverage, RMM inventory discipline, and email authentication enforcement will price this risk more accurately than those who price for the absence of any single CVE. Brokers who can translate a dated threat report into specific policy terms and specific control questions will shorten renewal cycles and reduce surprise at claims time.
The TRUMP coin campaign will not be the last of its kind. The next variant will swap the coin, the brand, or the political hook, and the underlying mechanism will remain. The work for the insurance and risk community is to make that mechanism unprofitable, control by control, policy term by policy term, assessment by assessment.
Michael Guiao Michael Guiao gründete Resiliently AI und schreibt Resiliently. Er hat CISM, CCSP, CISA und DPO-Zertifizierungen — aber sie verfallen lassen, denn im Zeitalter von KI ist Wissen billig. Worauf es ankommt, ist Urteilskraft — und die kommt aus acht Jahren Praxis bei Zurich, Sompo, AXA und PwC.
Get the full picture with premium access
In-depth reports, assessment tools, and weekly risk intelligence for cyber professionals.
Professional
Full platform — continuous monitoring, API access, white-label reports
Everything in Starter plus professional tools
Upgrade Now →Free NIS2 Compliance Checklist
Get the free 15-point PDF checklist + NIS2 compliance tips in your inbox.
No spam. Unsubscribe anytime. Privacy Policy
blog.featured
WordPress Plugin Flaw CVE-2023-4213 Exposes 10K+ Sites to Cyber Claims
6 min read
WordPress Plugin XSS Vulnerability Exposes Cyber Insurance Portfolios to Persistent Web Risks
5 min read
WordPress Security Plugin Flaw Exposes Organizations to Cyber Claims
6 min read
WordPress Plugin Flaw Exposes Cyber Insurance Portfolios to SQL Injection Risks
6 min read
Premium Report
2026 Cyber Risk Landscape Report
24 pages of threat analysis, claims data, and underwriting implications for European cyber insurance.
View Reports →Verwandte Artikel
Abandoned WordPress Plugin Exposes 12,000+ Sites to Cyber Risk
CVE-2023-5336 in iPanorama 360 plugin creates systemic risk for small businesses. SQL injection vulnerability affects unpatched WordPress sites, highlighting third-party component gaps in cyber insurance coverage.
Acronis CVE-2022-46869: How Consumer Software Creates Enterprise Risk
Local privilege escalation vulnerability in Acronis backup software highlights underwriting risks from consumer-grade tools and patch management gaps.
Acronis Privilege Escalation Flaw Exposes Endpoint Security Gaps
CVE-2023-41743 highlights critical endpoint protection weaknesses that expand attack surfaces and increase cyber insurance risk exposure for organizations.