Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware

A sophisticated phishing campaign is actively targeting financial organizations by using fake Adobe Document Cloud pages to silently install ScreenConnect remote access malware on victim machines.

The operation is well-structured, deceptive, and difficult to detect because it blends into everyday enterprise software activity.

The campaign works by sending phishing emails that look like legitimate Adobe Document Cloud file-sharing notifications. Victims are told a confidential project document has been uploaded to Adobe Document Cloud and are given a link to view it.

That link leads to a compromised WordPress website hosting a convincing fake Adobe page designed to trick users into triggering a malware download without realizing it.

Researchers from Fortra’s Intelligence and Research Experts (FIRE) team identified the phishing kit behind this operation and named it “RatPressto.”

Fortra said in a report shared with Cyber Security News (CSN) that the kit is reusable, privately maintained, and engineered to maximize victim trust while minimizing security detection.

The campaign is assessed with medium confidence to originate from a Brazilian threat actor, based on infrastructure tied to São Paulo.

What makes this campaign stand out is how it uses legitimate software to stay under the radar. Rather than deploying custom malware, the attacker abuses ScreenConnect, a widely used remote administration tool, to gain full control of infected machines.

Blending malicious activity into normal business software traffic makes it far harder for standard security tools to raise an alarm.

Multiple compromised websites were found hosting nearly byte-identical phishing pages, with only the victim-specific file name changed between campaigns. This points strongly to a single, well-organized actor group managing a centralized private phishing kit.

Hackers Use Fake Adobe Document Cloud Pages

The RatPressto kit operates in two stages designed to keep the victim distracted while the malware installs itself silently.

Stage one presents the victim with a convincing fake Adobe page showing a “Download Complete” message, complete with Adobe branding and a loading animation. This page has one purpose: buy time while the real action happens in the background.

That background action is stage two, where a hidden iframe silently triggers the download of a ScreenConnect installer. The victim sees instructions telling them to open a file, but the malicious file has already been downloaded before they take any action.

Once the installer runs, ScreenConnect is installed quietly with no visible interface, and the infected machine connects back to a self-hosted command-and-control server at cloud.zistopstoabetterlife.com on port 8041.

The attacker stages additional payloads through GitHub repositories under the account “creativebobo,” and uses heavily obfuscated batch scripts that delete themselves after execution to clean up traces.

File names are customized to match the victim’s business context, such as using a company name in the installer file, making the download appear even more legitimate at first glance.

Compromised WordPress Sites at the Core of the Attack

A key part of this campaign is the abuse of poorly secured WordPress websites to host the phishing kit.

Investigators found that multiple compromised sites had publicly exposed WordPress admin interfaces, meaning the attacker likely used stolen credentials or exploited vulnerable plugins to gain access and upload the phishing files directly.

The phishing kit files, including download.html, complete.php, and download.php, were deployed into WordPress-accessible directories.

The consistency of this pattern across many unrelated websites strongly suggests that compromising WordPress admin panels is a deliberate step in the attacker’s deployment process, not an accident.

Organizations are advised to audit their WordPress environments for exposed admin interfaces and disable public access to wp-admin where possible.

Enforcing multi-factor authentication on all WordPress administrator accounts, blocking known malicious infrastructure, and hunting for unauthorized ScreenConnect installations are strongly recommended steps. Network defenders should also alert on outbound connections to TCP port 8041 and watch for msiexec processes launched from temporary directories, as both are reliable indicators of this infection chain in action.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	cloud.zistopstoabetterlife.com	Self-hosted ScreenConnect C2 server (port 8041)
Domain	ampliawifi.com	Actor-controlled WordPress deployment
Domain	gaheempreendimentos.com	Actor-controlled Cloudflare-protected deployment
Domain	c3po3090.com.br	Actor-controlled nameserver infrastructure
Domain	iconclinic.ae	Compromised victim WordPress site, wp-admin exposed
Domain	kinorot.co.il	Likely compromised victim infrastructure
Domain	vetcarebd.xyz	Compromised payload delivery host
Domain	nabellacouture.com	Compromised payload delivery host
Domain	birexo.icu	Additional phishing kit deployment
Domain	abpmed.com	Additional phishing kit deployment
IP Address	177.154.191.148	São Paulo, Brazil — actor hosting infrastructure
IP Address	84.32.41.64	Associated threat infrastructure
File	ScreenConnect.ClientSetup.msi	ScreenConnect installer payload
File	microsoftceo.exe	Malicious dropper executable
File	ceo.msi	MSI payload staged via GitHub
File	CapraAssetManagementInc.vbs	Victim-specific VBS dropper
URL Path	/wp-admin/	Exposed WordPress admin interface used for kit deployment
URL Path	/download.html	Phishing kit stage 1 delivery file
URL Path	/complete.php	Phishing kit stage 2 PHP file
URL Path	/download.php	Hidden iframe payload trigger
GitHub Repo	creativebobo/ceoexe	GitHub staging repository for payloads
GitHub Repo	creativebobo/ceo	GitHub staging repository for payloads
Cloudflare Token	fcfd0b3135e24171980eef5488a4927b	Cloudflare telemetry beacon observed in newer kit samples

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.