A sneaky spam campaign is hitting inboxes with fake PDF files. These emails trick users into thinking they need to update Adobe Acrobat. Instead of getting genuine software, victims download dangerous remote monitoring and management (RMM) tools.
These tools give attackers complete, ongoing control over infected computers. The attack hides in plain sight by using trusted RMM software, making it appear to be everyday IT work.
Security teams from Level Blue spotted this and shared key details, including indicators of compromise (IOCs).
The campaign started gaining steam in early 2026. Emails arrive with subject lines like “Scanned Document” or “Urgent Update.” Attachments are PDFs named something innocent, like “scanned_document.pdf.”
When users open them, the PDF shows a fake error message: “Adobe Reader has stopped working. Download the latest version.” A big red button urges quick action. Clicking it sends users to a phony Adobe download page.
Victims grab executables pretending to be “Adobe_Reader_Installer.exe.” These files install RMM agents from legitimate vendors such as TrustConnect and Datto RMM.
Why RMM tools? They let IT admins remotely manage devices fix issues, run scripts, or monitor performance. Attackers abuse this by deploying them without permission. Once installed, the tool phones home to attacker-controlled servers.
This gives persistent access, even after reboots. Attackers can spy on screens, steal files, run commands, or drop more malware.
It’s stealthy because RMM traffic mimics enterprise IT ops, dodging endpoint detection and response (EDR) tools.
Campaign Mechanics and IOCs
According to Spider Labs, the PDF uses embedded JavaScript or hyperlinks to trigger the redirect. No macros needed just social engineering.
The fake site uses URL obfuscation and HTTPS to evade email filters such as MailMarshal. Downloads happen via direct links, often bypassing browser warnings.
Once executed, the malware extracts and runs the RMM agent. For example:
| File/URL | SHA-256 Hash | Description |
|---|---|---|
| scanned_document.pdf | 0432f2e433bf42aaff0f078d500dd6f47c2500a8c8560601d8eadd0d9b365861 | Malicious PDF attachment |
| Adobe_Reader_Installer.exe (TrustConnect) | edde2673becdf84e3b1d823a985c7984fec42cb65c7666e68badce78bd0666c0 | RMM dropper |
| Adobe_Reader_Installer.exe (Datto RMM) | ae42e874b598cce517c40f9314bdef94828ba20f15bb7f8026187573f26fff9f | RMM dropper |
| hxxps://99d04a7a-345a-487c-8ea3-a9a626aa773e-00-3qpe7rminty.com/e/WlppNUlubg | N/A | Redirect URL |
| hxxps://adb-pro.design/Adobe/landing.php | N/A |
Block these hashes in your EDR or SIEM. Check network logs for traffic to the domains. ANY.RUN sandboxes confirm the RMM persistence.
Defenses are straightforward train users to avoid unsolicited PDF links. Enable PDF sandboxing in tools like Zscaler or Check Point Harmony. Scan emails for anomalies with TrustConnect or Datto signatures.
Update RMM agents to the latest versions and monitor for unauthorized installs hunt for IOCs using PowerShell or Python scripts on endpoints.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
