A newly uncovered attack campaign is tricking users into installing remote access software on their systems by disguising malware as a legitimate Adobe Acrobat Reader download. <\/p>\n
The attack uses a sophisticated chain of techniques \u2014 including in-memory execution, process masquerading, and privilege escalation \u2014 to deploy ConnectWise\u2019s ScreenConnect without leaving obvious traces on the victim\u2019s machine.<\/a><\/p>\n What makes this campaign particularly dangerous is the level of trust users place in well-known software brands like Adobe. When someone visits a website and sees a familiar download button for Adobe Acrobat Reader, most people click without hesitation. <\/p>\n Attackers behind this campaign have exploited that trust entirely. Instead of delivering a real installer, the fake page silently pushes a heavily obfuscated VBScript file named\u00a0Acrobat_Reader_V112_6971.vbs<\/em>\u00a0directly to the victim\u2019s browser. This single file sets the entire attack in motion.<\/a><\/p>\n Researchers at Zscaler ThreatLabz first identified this attack chain<\/a> in February 2026, tracing it from the initial lure all the way through to the final deployment of ScreenConnect. <\/p>\n According to ThreatLabz analyst Kaivalya Khursale, the attackers leveraged multiple layers of obfuscation and direct in-memory execution to reduce the number of artifacts left on disk, making detection and forensic analysis significantly harder for security teams. <\/p>\n The campaign stands out because it weaponizes a legitimate remote monitoring and management (RMM) tool \u2014 a growing trend among threat actors seeking to blend malicious activity with normal IT operations<\/a>.<\/a><\/p>\n ScreenConnect itself is not malware. It is a legitimate remote desktop tool used by IT administrators worldwide. <\/p>\n However, when installed without a user\u2019s knowledge, it hands attackers complete remote control over the compromised machine, allowing them to steal files, deploy additional payloads, or maintain long-term persistence. <\/p>\n Since the ScreenConnect behaves like genuine software, many antivirus and endpoint detection and response (EDR) solutions do not flag it, making this a particularly effective delivery method.<\/a><\/p>\n The fraudulent page<\/a> used in this campaign, hosted at\u00a0eshareflies[.]im\/ad\/<\/em>, closely impersonates Adobe\u2019s official website. Once a victim lands on it, the download begins automatically \u2014 no extra clicks required. <\/p>\n The VBScript loader<\/a> is the first malicious file dropped, and from that point forward, the attack operates almost entirely in memory to avoid leaving evidence behind.<\/a><\/p>\n The attack unfolds in a carefully ordered series of stages, each designed to prepare the ground for the next. It begins the moment the VBScript file lands on the victim\u2019s system.<\/p>\n The VBScript loader is built to resist analysis. Rather than referencing system objects directly, it constructs them dynamically at runtime using nested string replacement functions. <\/p>\n For example, instead of writing\u00a0WScript.Shell\u00a0in plain text, the loader assembles that name from a long jumbled string that only resolves to a readable value when the script actually runs. <\/p>\n This approach prevents the name from appearing clearly in the file, making automated scanning tools far less effective. <\/p>\n The loader then executes a follow-on command assembled from dozens of\u00a0Chr()\u00a0calls with arithmetic expressions, each one resolving to a single ASCII character during execution. <\/p>\n The command runs silently in a hidden window, with no visible indication to the victim that anything unusual is happening.<\/a><\/p>\n Once the VBScript fires, it launches PowerShell with\u00a0-ExecutionPolicy Bypass<\/em>, allowing scripts to run even on systems with restrictive local policies. <\/p>\n PowerShell then downloads a file from Google Drive, reads it entirely into memory, and compiles it as C# source code \u2014 critically, without ever writing the compiled result to disk. <\/p>\n This is the in-memory loader, a .NET assembly embedded inside a large byte array. By using .NET reflection with\u00a0Assembly.Load(byte[])\u00a0and\u00a0EntryPoint.Invoke(), the loader executes the next stage entirely within the running process.<\/p>\n To further evade detection, the loader implements a technique called Process Environment Block (PEB) manipulation. The PEB is a Windows memory structure that stores information about a running process, including its name and file path. <\/p>\n The loader overwrites these fields to make itself appear as\u00a0winhlp32.exe\u00a0\u2014 a harmless Windows help binary. Security tools<\/a> and user-mode monitoring software that rely on PEB metadata will see a legitimate-looking process rather than the malicious loader.<\/a><\/p>\n In addition to process masquerading, the attackers abused Windows\u2019 auto-elevated Component Object Model (COM) objects to bypass User Account Control (UAC). <\/p>\n Normally, UAC would display a prompt asking the user to approve administrator-level actions. <\/p>\n By targeting specific COM class IDs that Windows automatically runs with elevated privileges, the loader gains administrative access silently. <\/p>\n The elevation moniker string is stored in reverse within the code and only flipped at runtime, making static signature detection even more difficult.<\/a><\/p>\n With full elevated privileges in hand, the final stage executes. A PowerShell command, decoded at runtime, creates the\u00a0C:Temp<\/em>\u00a0directory, downloads\u00a0ScreenConnect.ClientSetup.msi\u00a0from\u00a0x0[.]at\/qOfN.msi, and installs it using\u00a0msiexec. <\/p>\n Once installation completes, the attacker gains remote access to the victim\u2019s machine through ScreenConnect\u2019s legitimate infrastructure.<\/a><\/p>\n Users should avoid downloading software from unofficial or unfamiliar websites, even if the page looks legitimate. Organizations should deploy application whitelisting to prevent unauthorized RMM tools from being installed. <\/p>\n Security teams<\/a> are advised to monitor for unusual PowerShell execution with\u00a0-ExecutionPolicy Bypass\u00a0flags and alert on unexpected MSI installations. <\/p>\n Blocking access to untrusted file-hosting URLs such as those on Google Drive when initiated by scripts can also reduce exposure. Enabling EDR solutions capable of detecting PEB manipulation and COM-based UAC bypass activity is strongly recommended.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Fake Adobe Reader Download Delivers ScreenConnect Through Stealthy In-Memory Loader<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow the Attack Operates from Start to Finish<\/strong><\/h2>\n
![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgZuwDIe_iDfbbFoWbuxUxcFzxOqcLQ1B4xiDyxHKKQOa0ff9l0YzrPrdIlc8V8rWmug0h08JVUhnuDbjCUeHgPxurGEX3QBKOe6R81mM0zse0tHa4iefyc5TF3qQL_ApQxUbUBZ2Xubvtp7yWPDk6YG_girbCFJeVEDBMzuOGWpEnM5n6wpOPnQ6Ad4fI\/s16000\/Attack%2520chain%2520for%2520the%2520ScreenConnect%2520deployment%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
![\"Fraudulent](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEipIeew6qKLlcVSAWzfs8aV84b602UR4eXELdnjdrz4_ePuqI1hMk0TPnRaduI5JV3km0Xmpo_KOoy_-iGZON4biJ8_B73MMsmyC6W53CPxgILQ3xjip2XXZrqw7EGfenQ-DeDen0UFDpNfKHEle7_yOxv2V1ezv7yaJsu_XPBve3Jh9oDuyJyCQcvFjIg\/s16000\/Fraudulent%2520page%2520impersonating%2520Adobe%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
![\"Downloaded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi3IwaQSsm-tVQfTitx7WVK6OUe7UTmKGxM8DrohkNYvv0pGXPWKWXQv1GdUjofL-DJWVceKmCdgPDdTUwl9e6LcbBQ9zqlCV1EN3Cb2uIXl2k7z2HmRlE3-F9l53iIPykrvi0qYqlWMlk-m9hA2BVjvb5oRcI1xsjpYUbEu9jPs7bcxqhQxICEnFh_ycQ\/s16000\/Downloaded%2520VBScript%2520payload%2520masquerading%2520as%2520an%2520Adobe%2520Acrobat%2520Reader%2520installer%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
![\"Code](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCC92g_XzCGLK2vdz1dGP6yPe_Oe6Rqv2JBCb-B7-j8usmEekEwGvHomwbgHe_43z10JVnjq9gN-xy5ntLegwJ1RKhJ6SBYzLh2U0uA-3UA_bcY8aoOYBeN7a3e2fEofaAAVuGRLemqQo4aGm09QBsR-b57-bNkDZQT9fh-tqnU35sXBsRShGcMy9uwm0\/s16000\/Code%2520attempting%2520to%2520obtain%2520an%2520elevated%2520COM%2520object%2520for%2520privilege%2520escalation%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")
![\"PowerShell](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiHLJo11Y6TPSZveBsyZyPNI6tk5aaMbO4ypWzGIbOLTptg8kImxgScCa0GoxHSl6T8QEK57OiCWlcVEGUTEBTGBo6DV7c0n4I3hxIdQzchohgMoNOVi0A2PSkIeFd5Gux3R2xCOIXr41WtYymE-AfgaMiGu1lT7Q8koMjavBOYEYFo9Y6iMAtZet2GKLQ\/s16000\/PowerShell%2520command%2520that%2520downloads%2520ScreenConnect.ClientSetup.msi%2520and%2520installs%2520it%2520via%2520msiexec%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\")