A sophisticated phishing campaign is actively targeting financial organizations by using fake Adobe Document Cloud pages to silently install ScreenConnect remote access malware on victim machines.
The operation is well-structured, deceptive, and difficult to detect because it blends into everyday enterprise software activity.
The campaign works by sending phishing emails that look like legitimate Adobe Document Cloud file-sharing notifications. Victims are told a confidential project document has been uploaded to Adobe Document Cloud and are given a link to view it.
That link leads to a compromised WordPress website hosting a convincing fake Adobe page designed to trick users into triggering a malware download without realizing it.
Researchers from Fortra’s Intelligence and Research Experts (FIRE) team identified the phishing kit behind this operation and named it “RatPressto.”
Fortra said in a report shared with Cyber Security News (CSN) that the kit is reusable, privately maintained, and engineered to maximize victim trust while minimizing security detection.
The campaign is assessed with medium confidence to originate from a Brazilian threat actor, based on infrastructure tied to São Paulo.
What makes this campaign stand out is how it uses legitimate software to stay under the radar. Rather than deploying custom malware, the attacker abuses ScreenConnect, a widely used remote administration tool, to gain full control of infected machines.
Blending malicious activity into normal business software traffic makes it far harder for standard security tools to raise an alarm. The campaign has shown consistent operational maturity with reusable infrastructure across many deployments.
Multiple compromised websites were found hosting nearly byte-identical phishing pages, with only the victim-specific file name changed between campaigns. This points strongly to a single, well-organized actor group managing a centralized private phishing kit.
Hackers Use Fake Adobe Document Cloud Pages
The RatPressto kit operates in two stages designed to keep the victim distracted while the malware installs itself silently.
Stage one presents the victim with a convincing fake Adobe page showing a “Download Complete” message, complete with Adobe branding and a loading animation. This page has one purpose: buy time while the real action happens in the background.
That background action is stage two, where a hidden iframe silently triggers the download of a ScreenConnect installer. The victim sees instructions telling them to open a file, but the malicious file has already been downloaded before they take any action.
Once the installer runs, ScreenConnect is installed quietly with no visible interface, and the infected machine connects back to a self-hosted command-and-control server at cloud.zistopstoabetterlife.com on port 8041.
The attacker stages additional payloads through GitHub repositories under the account “creativebobo,” and uses heavily obfuscated batch scripts that delete themselves after execution to clean up traces.
File names are customized to match the victim’s business context, such as using a company name in the installer file, making the download appear even more legitimate at first glance.
Compromised WordPress Sites at the Core of the Attack
A key part of this campaign is the abuse of poorly secured WordPress websites to host the phishing kit.
Investigators found that multiple compromised sites had publicly exposed WordPress admin interfaces, meaning the attacker likely used stolen credentials or exploited vulnerable plugins to gain access and upload the phishing files directly.
The phishing kit files, including download.html, complete.php, and download.php, were deployed into WordPress-accessible directories.
The consistency of this pattern across many unrelated websites strongly suggests that compromising WordPress admin panels is a deliberate step in the attacker’s deployment process, not an accident.
Organizations are advised to audit their WordPress environments for exposed admin interfaces and disable public access to wp-admin where possible.
Enforcing multi-factor authentication on all WordPress administrator accounts, blocking known malicious infrastructure, and hunting for unauthorized ScreenConnect installations are strongly recommended steps. Network defenders should also alert on outbound connections to TCP port 8041 and watch for msiexec processes launched from temporary directories, as both are reliable indicators of this infection chain in action.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | cloud.zistopstoabetterlife.com | Self-hosted ScreenConnect C2 server (port 8041) |
| Domain | ampliawifi.com | Actor-controlled WordPress deployment |
| Domain | gaheempreendimentos.com | Actor-controlled Cloudflare-protected deployment |
| Domain | c3po3090.com.br | Actor-controlled nameserver infrastructure |
| Domain | iconclinic.ae | Compromised victim WordPress site, wp-admin exposed |
| Domain | kinorot.co.il | Likely compromised victim infrastructure |
| Domain | vetcarebd.xyz | Compromised payload delivery host |
| Domain | nabellacouture.com | Compromised payload delivery host |
| Domain | birexo.icu | Additional phishing kit deployment |
| Domain | abpmed.com | Additional phishing kit deployment |
| IP Address | 177.154.191.148 | São Paulo, Brazil — actor hosting infrastructure |
| IP Address | 84.32.41.64 | Associated threat infrastructure |
| File | ScreenConnect.ClientSetup.msi | ScreenConnect installer payload |
| File | microsoftceo.exe | Malicious dropper executable |
| File | ceo.msi | MSI payload staged via GitHub |
| File | CapraAssetManagementInc.vbs | Victim-specific VBS dropper |
| URL Path | /wp-admin/ | Exposed WordPress admin interface used for kit deployment |
| URL Path | /download.html | Phishing kit stage 1 delivery file |
| URL Path | /complete.php | Phishing kit stage 2 PHP file |
| URL Path | /download.php | Hidden iframe payload trigger |
| GitHub Repo | creativebobo/ceoexe | GitHub staging repository for payloads |
| GitHub Repo | creativebobo/ceo | GitHub staging repository for payloads |
| Cloudflare Token | fcfd0b3135e24171980eef5488a4927b | Cloudflare telemetry beacon observed in newer kit samples |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.