Phishing Campaign Uses Fake Adobe Pages to Distribute ScreenConnect Malware
Severity: High (Score: 61.5)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: fake, adobe, document, cloud, pages, malware, screenconnect
Severity indicators: malware
Summary
A phishing campaign is targeting financial organizations by using counterfeit Adobe Document Cloud pages to install ScreenConnect malware on victim machines. The attackers exploit trust in Adobe's services, utilizing a sophisticated phishing kit named 'RatPressto' that leverages compromised WordPress sites to evade detection. Phishing emails are crafted to appear as legitimate corporate communications, making them difficult to identify. The operation is well-structured and poses a significant threat to enterprise security. Currently, there are no specific numbers of victims reported, but the campaign is ongoing and evolving. Security professionals are advised to remain vigilant against such deceptive tactics. Key Points: • Hackers are using fake Adobe Document Cloud pages to deliver ScreenConnect malware. • The phishing campaign targets financial organizations and employs a sophisticated kit named 'RatPressto'. • Phishing emails mimic legitimate corporate communications, complicating detection efforts.
Detailed Analysis
**Impact** Financial organizations are the primary targets of this campaign, with no specific geographic scope detailed. The attack risks unauthorized remote access to corporate systems via ScreenConnect malware, potentially leading to data theft, operational disruption, and financial losses. The deceptive nature of the phishing emails increases the likelihood of successful compromise within affected enterprises. **Technical Details** The attack begins with phishing emails impersonating Adobe Document Cloud notifications, directing victims to fake Adobe delivery pages. The campaign uses the “RatPressto” phishing kit, which leverages compromised WordPress sites and legitimate software to evade detection. ScreenConnect remote access malware is silently installed, enabling persistent access. No CVEs or specific IOCs were provided in the sources. **Recommended Response** Organizations should prioritize user awareness training to recognize phishing emails mimicking Adobe Document Cloud. Deploy email filtering rules to block messages containing suspicious Adobe-related URLs and monitor for unusual ScreenConnect activity on endpoints. Harden WordPress installations to prevent compromise and monitor network traffic for unauthorized remote access connections. No patch or CVE-specific mitigation details are available.
Source articles (2)
- Fake Adobe Document Cloud Pages Spread ScreenConnect Malware — Gbhackers · 2026-05-29
Hackers are actively exploiting trust in Adobe Document Cloud by using fake delivery pages to install remote access malware. The campaign leverages a sophisticated phishing kit named “RatPressto,” whi… - Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware — Cybersecuritynews · 2026-05-29
A sophisticated phishing campaign is actively targeting financial organizations by using fake Adobe Document Cloud pages to silently install ScreenConnect remote access malware on victim machines. The…
Timeline
- 2026-05-29 — Phishing campaign identified: A sophisticated phishing campaign using fake Adobe Document Cloud pages to install malware was reported, targeting financial organizations.
- 2026-05-29 — Use of 'RatPressto' phishing kit confirmed: The campaign utilizes a phishing kit named 'RatPressto', which exploits compromised WordPress sites.
Related entities
- Malware (Attack Type)
- Phishing (Attack Type)
- Financial (Industry)
- ScreenConnect (Tool)
- RatPressto (Tool)
- T1566.002 - Spearphishing Link (Mitre Attack)
- T1566 - Phishing (Mitre Attack)
- Adobe Document Cloud (Platform)
- WordPress (Platform)