Fake Adobe Reader Download Distributes ScreenConnect via Fileless Loader
Severity: Medium (Score: 48.9)
Sources: Gbhackers, Cybersecuritynews
Summary
A deceptive campaign has emerged where attackers distribute a fake Adobe Acrobat Reader installer that deploys ConnectWise’s ScreenConnect, a legitimate remote-access tool, through a complex in-memory execution chain. Victims are lured to a phishing site mimicking Adobe’s official download page, leading to unauthorized system control and data collection. The attack employs sophisticated techniques including in-memory execution and process masquerading, making detection difficult. Organizations and individual users who mistakenly download the fake installer are at risk. The attack's scope is currently unclear, but it poses a significant threat to users seeking legitimate software. No specific numbers or CVEs have been reported yet. The current status of the campaign is active as of April 16, 2026. Key Points: • Attackers are using a fake Adobe Reader installer to deploy ScreenConnect. • The attack employs advanced techniques like in-memory execution and process masquerading. • Victims are primarily individuals downloading software from phishing sites.