An ongoing spam campaign that leverages social engineering to deploy legitimate Remote Monitoring and Management (RMM) software on victim networks.
By disguising malicious payloads as essential Adobe Acrobat updates, threat actors are successfully bypassing traditional security controls and establishing persistent remote access to sensitive systems.
The campaign begins with a deceptive email delivering a PDF attachment. These emails often masquerade as important notifications, such as invoices, payment receipts, or shared documents, prompting the user to view the file immediately.
When the victim opens the attached PDF, they are not presented with a document but rather a static image mimicking a blurred document or a security prompt.
A prominent button often labeled “Open in Adobe Reader to Access this File” urges the user to click to view the content.
This is a common phishing tactic designed to move the victim from a protected email environment to a malicious webpage controlled by the attacker.
Clicking the link redirects the user to a spoofed webpage designed to look exactly like a legitimate Adobe Acrobat download center. The page displays a warning claiming that “Adobe Reader is not detected or out of date” and automatically initiates a download.
Unlike traditional malware campaigns that install custom viruses or trojans, this attack downloads a genuine executable installer for commercial RMM software.
In this specific campaign, LevelBlue researchers observed the deployment of two specific RMM variants: Trustconnect and Datto RMM.
RMM tools are powerful software suites used by IT administrators to manage computers remotely. They allow for full control over a system, including file transfer, software installation, and desktop control.
Because these tools are digitally signed by reputable vendors and widely used in corporate environments, they are often trusted by antivirus (AV) and Endpoint Detection and Response (EDR) solutions.
The Danger of “Living off the Land”
This technique is known as “Living off the Land” (LotL). By installing legitimate software, threat actors can blend in with normal network traffic. To a security analyst, the activity looks like a standard IT administrative task rather than a breach.
Once installed, the RMM tool creates a backdoor. The attacker can then:
- Maintain Persistence: Access the machine anytime, even after reboots.
- Evade Detection: Bypass security scans that allow legitimate administrative tools.
- Escalate Privileges: Use the tool’s system-level permissions to move deeper into the network or deploy ransomware.
This campaign highlights the need for vigilance regarding “update” prompts originating from email attachments. Security teams should monitor for unauthorized RMM installations and block known malicious domains associated with these fake download pages.
Users are advised to only download software updates directly from official vendor websites, never from links inside a PDF or email.
IOCs
| Indicator Type | Context / Description | Value |
|---|---|---|
| URL | Initial Redirect / Phishing Link | hxxps[://]99d04a7a-345a-487c-8ea3-a9a626aa773e-00-3qpe7rminty[.]com/e/WlppNUlubg |
| URL | Payload Delivery / Fake Landing Page | hxxps[://]adb-pro[.]design/Adobe/landing[.]php |
| SHA-256 | Lure Document (scanned_document.pdf) | 0432f2e433bf42aaff0f078d500dd6f47c2500a8c8560601d8eadd0d9b365861 |
| SHA-256 | Fake Installer Payload (Adobe_Reader_Installer.exe – TrustConnect) | edde2673becdf84e3b1d823a985c7984fec42cb65c7666e68badce78bd0666c0 |
| SHA-256 | Fake Installer Payload (Adobe_Reader_Installer.exe – Datto RMM) | ae42e874b598cce517c40f9314bdef94828ba20f15bb7f8026187573f26fff9f |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.