Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Fake Adobe Reader Installer Delivers ScreenConnect via In-Memory Loader
Threats

Fake Adobe Reader Installer Delivers ScreenConnect via In-Memory Loader

Key Takeaways A new attack campaign is actively distributing ConnectWise ScreenConnect by masquerading as an Adobe Acrobat Reader installer. The threat leverages sophisticated techniques, including...

Emy Elsamnoudy
Emy Elsamnoudy
April 16, 2026 5 Min Read
36 0

Key Takeaways

  • A new attack campaign is actively distributing ConnectWise ScreenConnect by masquerading as an Adobe Acrobat Reader installer.
  • The threat leverages sophisticated techniques, including in-memory execution, process masquerading, and UAC bypass, to avoid detection and achieve privilege escalation.
  • Victims are tricked into downloading a malicious VBScript from a fake Adobe website, which then deploys the legitimate remote access software.
  • The use of a legitimate RMM tool makes detection challenging for traditional antivirus solutions.

Cybersecurity researchers have uncovered a sophisticated attack campaign that tricks users into installing remote access software by impersonating an Adobe Acrobat Reader download. This highly deceptive operation employs a multi-stage approach, utilizing in-memory execution, process masquerading, and privilege escalation to deploy ConnectWise’s ScreenConnect without leaving easily detectable traces on the compromised system.

Table Of Content

  • Key Takeaways
  • How the Attack Operates from Start to Finish
  • Initial Loader Obfuscation
  • In-Memory Execution and Process Masquerading
  • Privilege Escalation via UAC Bypass
  • Final Payload Deployment
  • What You Should Do

The campaign exploits the inherent trust users place in well-known software vendors like Adobe. Victims are lured to a counterfeit website that closely mimics Adobe’s official page. Instead of delivering a genuine installer, the fraudulent site silently pushes a heavily obfuscated VBScript file, named Acrobat_Reader_V112_6971.vbs, directly to the user’s browser. This initial VBScript is the catalyst for the entire attack chain.

Researchers at Zscaler ThreatLabz first identified this intricate attack chain in February 2026, meticulously tracing its progression from the initial deception to the final deployment of ScreenConnect.

Kaivalya Khursale, a ThreatLabz analyst, highlighted the attackers’ reliance on extensive obfuscation and direct in-memory execution. These techniques are deliberately designed to minimize disk artifacts, significantly complicating detection and forensic analysis for security teams.

A notable aspect of this campaign is its weaponization of a legitimate remote monitoring and management (RMM) tool. This tactic is increasingly favored by threat actors as it allows malicious activities to blend seamlessly with legitimate IT operations, thereby evading traditional security measures.

ConnectWise ScreenConnect is not inherently malicious; it is a legitimate remote desktop tool widely used by IT administrators for system management. However, when deployed without user consent, it grants attackers full remote control over the compromised machine. This access enables them to exfiltrate data, deploy further malware, or establish long-term persistence. Because ScreenConnect functions as legitimate software, many antivirus and endpoint detection and response (EDR) solutions may fail to flag its presence, making it an effective delivery mechanism for adversaries.

The deceptive page, hosted at eshareflies[.]im/ad/, is meticulously crafted to resemble Adobe’s official download portal. Upon landing on this page, the malicious download initiates automatically. The VBScript loader is the first component dropped, after which the subsequent stages of the attack predominantly operate in memory, minimizing forensic evidence.

How the Attack Operates from Start to Finish

The attack progresses through a series of carefully orchestrated stages, each designed to facilitate the next and enhance stealth. The infection begins immediately after the VBScript file is downloaded to the victim’s system.

Attack chain for the ScreenConnect deployment (Source - Zscaler)
Attack chain for the ScreenConnect deployment (Source – Zscaler)

Initial Loader Obfuscation

The VBScript loader is heavily obfuscated to impede analysis. Instead of directly referencing system objects, it dynamically constructs their names at runtime using nested string replacement functions. For instance, “WScript.Shell” is not present in plain text but is assembled from a convoluted string that only resolves during script execution. This dynamic construction prevents static analysis tools from easily identifying the script’s true purpose. Furthermore, the loader executes subsequent commands using dozens of Chr() calls combined with arithmetic expressions, each resolving to a single ASCII character. This command runs silently in a hidden window, providing no visual cues to the victim.

Fraudulent page impersonating Adobe (Source - Zscaler)
Fraudulent page impersonating Adobe (Source – Zscaler)

In-Memory Execution and Process Masquerading

Following the VBScript’s execution, PowerShell is launched with the -ExecutionPolicy Bypass flag, which permits script execution even on systems configured with restrictive local policies. PowerShell then downloads an additional file from Google Drive, loads it entirely into memory, and compiles it as C# source code. Crucially, the compiled result is never written to disk. This in-memory loader, a .NET assembly embedded within a large byte array, uses .NET reflection with Assembly.Load(byte[]) and EntryPoint.Invoke() to execute the next stage entirely within the current process.

Downloaded VBScript payload masquerading as an Adobe Acrobat Reader installer (Source - Zscaler)
Downloaded VBScript payload masquerading as an Adobe Acrobat Reader installer (Source – Zscaler)

To further evade detection, the loader employs Process Environment Block (PEB) manipulation. The PEB is a Windows memory structure containing vital information about a running process, including its name and file path. The loader overwrites these fields to appear as winhlp32.exe, a legitimate Windows help binary. This masquerading causes security tools and user-mode monitoring software that rely on PEB metadata to perceive the malicious loader as a harmless, legitimate process.

Privilege Escalation via UAC Bypass

Beyond process masquerading, the attackers leverage Windows’ auto-elevated Component Object Model (COM) objects to bypass User Account Control (UAC). Ordinarily, UAC would display a prompt requiring user approval for administrative actions. By targeting specific COM class IDs that Windows automatically runs with elevated privileges, the loader achieves administrative access silently. The elevation moniker string used for this bypass is stored in reverse within the code and is only reversed at runtime, making static signature detection significantly more challenging.

Code attempting to obtain an elevated COM object for privilege escalation (Source - Zscaler)
Code attempting to obtain an elevated COM object for privilege escalation (Source – Zscaler)

Final Payload Deployment

With administrative privileges secured, the final stage of the attack commences. A PowerShell command, decoded at runtime, first creates the C:Temp directory. Subsequently, it downloads ScreenConnect.ClientSetup.msi from x0[.]at/qOfN.msi and installs it using msiexec. Upon successful installation, the attacker gains complete remote access to the victim’s machine via the legitimate ScreenConnect infrastructure.

PowerShell command that downloads ScreenConnect.ClientSetup.msi and installs it via msiexec (Source - Zscaler)
PowerShell command that downloads ScreenConnect.ClientSetup.msi and installs it via msiexec (Source – Zscaler)

What You Should Do

  • Always download software directly from official vendor websites, even if an alternative source appears legitimate.
  • Implement application whitelisting to prevent the installation of unauthorized remote monitoring and management (RMM) tools.
  • Monitor for unusual PowerShell execution, particularly commands using the -ExecutionPolicy Bypass flag, and unexpected MSI installations.
  • Block access to untrusted file-hosting URLs, especially when such access is initiated by scripts.
  • Deploy and configure EDR solutions capable of detecting advanced evasion techniques like PEB manipulation and COM-based UAC bypasses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Russian C2 Servers Mapped Across 165 Hosting Providers

Next Post

Critical Splunk RCE Vulnerability CVE-2023-46214 Patched

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us