CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

A sophisticated phishing campaign is actively targeting financial organizations by using fake Adobe Document Cloud pages to silently install ScreenConnect remote access malware on victim machines. The operation is well-structured, deceptive, and difficult to detect because it blends into everyday enterprise software activity. The campaign works by sending phishing emails that look like legitimate Adobe […] The post Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware appe

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Ethical hacking courses Routers Cyberattack incident response HomeCyber Security News Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware By Tushar Subhra Dutta May 29, 2026 A sophisticated phishing campaign is actively targeting financial organizations by using fake Adobe Document Cloud pages to silently install ScreenConnect remote access malware on victim machines. The operation is well-structured, deceptive, and difficult to detect because it blends into everyday enterprise software activity. The campaign works by sending phishing emails that look like legitimate Adobe Document Cloud file-sharing notifications. Victims are told a confidential project document has been uploaded to Adobe Document Cloud and are given a link to view it. That link leads to a compromised WordPress website hosting a convincing fake Adobe page designed to trick users into triggering a malware download without realizing it. Researchers from Fortra’s Intelligence and Research Experts (FIRE) team identified the phishing kit behind this operation and named it “RatPressto.” Fortra said in a report shared with Cyber Security News (CSN) that the kit is reusable, privately maintained, and engineered to maximize victim trust while minimizing security detection. The campaign is assessed with medium confidence to originate from a Brazilian threat actor, based on infrastructure tied to São Paulo. What makes this campaign stand out is how it uses legitimate software to stay under the radar. Rather than deploying custom malware, the attacker abuses ScreenConnect, a widely used remote administration tool, to gain full control of infected machines. Blending malicious activity into normal business software traffic makes it far harder for standard security tools to raise an alarm. The campaign has shown consistent operational maturity with reusable infrastructure across many deployments. Multiple compromised websites were found hosting nearly byte-identical phishing pages, with only the victim-specific file name changed between campaigns. This points strongly to a single, well-organized actor group managing a centralized private phishing kit. Hackers Use Fake Adobe Document Cloud Pages The RatPressto kit operates in two stages designed to keep the victim distracted while the malware installs itself silently. Stage one presents the victim with a convincing fake Adobe page showing a “Download Complete” message, complete with Adobe branding and a loading animation. This page has one purpose: buy time while the real action happens in the background. That background action is stage two, where a hidden iframe silently triggers the download of a ScreenConnect installer. The victim sees instructions telling them to open a file, but the malicious file has already been downloaded before they take any action. Once the installer runs, ScreenConnect is installed quietly with no visible interface, and the infected machine connects back to a self-hosted command-and-control server at cloud.zistopstoabetterlife.com on port 8041. The attacker stages additional payloads through GitHub repositories under the account “creativebobo,” and uses heavily obfuscated batch scripts that delete themselves after execution to clean up traces. File names are customized to match the victim’s business context, such as using a company name in the installer file, making the download appear even more legitimate at first glance. Compromised WordPress Sites at the Core of the Attack A key part of this campaign is the abuse of poorly secured WordPress websites to host the phishing kit. Investigators found that multiple compromised sites had publicly exposed WordPress admin interfaces, meaning the attacker likely used stolen credentials or exploited vulnerable plugins to gain access and upload the phishing files directly. The phishing kit files, including download.html, complete.php, and download.php, were deployed into WordPress-accessible directories. The consistency of this pattern across many unrelated websites strongly suggests that compromising WordPress admin panels is a deliberate step in the attacker’s deployment process, not an accident. Organizations are advised to audit their WordPress environments for exposed admin interfaces and disable public access to wp-admin where possible. Enforcing multi-factor authentication on all WordPress administrator accounts, blocking known malicious infrastructure, and hunting for unauthorized ScreenConnect installations are strongly recommended steps. Network defenders should also alert on outbound connections to TCP port 8041 and watch for msiexec processes launched from temporary directories, as both are reliable indicators of this infection chain in action. Indicators of Compromise (IoCs):- Type Indicator Description Domain cloud.zistopstoabetterlife.com Self-hosted ScreenConnect C2 server (port 8041) Domain ampliawifi.com Actor-controlled WordPress deployment Domain gaheempreendimentos.com Actor-controlled Cloudflare-protected deployment Domain c3po3090.com.br Actor-controlled nameserver infrastructure Domain iconclinic.ae Compromised victim WordPress site, wp-admin exposed Domain kinorot.co.il Likely compromised victim infrastructure Domain vetcarebd.xyz Compromised payload delivery host Domain nabellacouture.com Compromised payload delivery host Domain birexo.icu Additional phishing kit deployment Domain abpmed.com Additional phishing kit deployment IP Address 177.154.191.148 São Paulo, Brazil — actor hosting infrastructure IP Address 84.32.41.64 Associated threat infrastructure File ScreenConnect.ClientSetup.msi ScreenConnect installer payload File microsoftceo.exe Malicious dropper executable File ceo.msi MSI payload staged via GitHub File CapraAssetManagementInc.vbs Victim-specific VBS dropper URL Path /wp-admin/ Exposed WordPress admin interface used for kit deployment URL Path /download.html Phishing kit stage 1 delivery file URL Path /complete.php Phishing kit stage 2 PHP file URL Path /download.php Hidden iframe payload trigger GitHub Repo creativebobo/ceoexe GitHub staging repository for payloads GitHub Repo creativebobo/ceo GitHub staging repository for payloads Cloudflare Token fcfd0b3135e24171980eef5488a4927b Cloudflare telemetry beacon observed in newer kit samples Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News GitHub Enterprise Server 3.20.3 Released With Fox for Critical Vulnerabilities Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens ClearFake Uses BSC Testnet Smart Contracts for Takedown-Resistant Command and Control Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor Latest News Cyber Security News Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products Cyber Security News MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration Cyber Security News Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings Cyber Security News Critical Samba Vulnerability Enables Remote Code Execution Attacks Chrome Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗