A new phishing operation is targeting enterprise users with fake Adobe Document Cloud pages designed to deploy ScreenConnect malware on Windows systems. The campaign primarily targets financial organizations and relies on trusted business branding to avoid suspicion.
Researchers tracking the activity discovered a reusable phishing kit that silently installs remote access software while victims believe they are opening a shared document. Meanwhile, attackers are abusing compromised WordPress websites and legitimate remote administration tools to reduce detection rates.
Fake Adobe Notifications Used as Initial Lure
The attack starts with phishing emails disguised as Adobe Document Cloud sharing alerts. Victims receive messages claiming that a confidential document has been uploaded for review. However, the embedded link redirects users to a malicious website hosting a fake Adobe interface.
The phishing page closely imitates legitimate Adobe branding. Additionally, it displays a “Download Complete” notification and loading animations to create a sense of authenticity.
Security analysts identified the toolkit behind the campaign and linked multiple incidents to the same infrastructure. Investigators also believe the operation may originate from a Brazil-based threat actor due to infrastructure connections tied to São Paulo.
How the ScreenConnect Malware Attack Works
The campaign operates in two stages. First, victims are distracted with a fake document download page. Meanwhile, a hidden iframe silently downloads a malicious installer in the background.
Once executed, the installer deploys ScreenConnect malware, a legitimate remote administration tool frequently used by IT teams. Attackers abuse this software because it blends into normal enterprise traffic and often bypasses traditional security monitoring.
After installation, infected systems connect to an attacker-controlled command-and-control server over TCP port 8041. Researchers also observed the attackers using GitHub repositories to stage additional payloads and scripts.
To further reduce detection, the operation uses heavily obfuscated batch scripts that automatically remove traces after execution.
Compromised WordPress Sites Fuel the Campaign
Investigators found that compromised WordPress websites play a major role in the operation. Many of the infected sites exposed publicly accessible /wp-admin/ panels, making them vulnerable to credential abuse or plugin exploitation.
The phishing kit was repeatedly deployed using nearly identical files across different websites, including:
download.htmlcomplete.phpdownload.php
This consistency suggests a centralized and professionally maintained phishing infrastructure.
Indicators and Security Recommendations
Researchers warned defenders to monitor for suspicious outbound traffic involving ScreenConnect installations and unusual msiexec activity from temporary directories.
Key indicators linked to the campaign include:
cloud.zistopstoabetterlife[.]comcreativebobo/ceoexeScreenConnect.ClientSetup.msimicrosoftceo.exe
Organizations should also:
- Restrict public access to WordPress admin panels
- Enable multi-factor authentication for administrator accounts
- Block known malicious domains and IPs
- Audit systems for unauthorized ScreenConnect deployments
Growing Abuse of Legitimate Software
The campaign highlights a growing trend where attackers increasingly abuse trusted enterprise tools instead of deploying traditional malware. Consequently, malicious activity becomes harder to distinguish from normal business operations.
The use of fake Adobe portals combined with ScreenConnect malware demonstrates how social engineering and legitimate software abuse continue to evolve together. Organizations should strengthen email filtering, monitor remote access tools carefully, and secure public-facing web infrastructure to reduce exposure to similar phishing attacks.
No Comment! Be the first one.