Security teams have uncovered an ongoing spam campaign that deceives users into installing remote monitoring and management (RMM) software by using phony PDF documents. The campaign sends emails with PDF attachments that look like invoices, receipts, or other important documents to businesses. Victims receive a notification stating that the document failed to load when they attempt to open these files.

After that, the PDF instructs users to click a link to view the content via what looks like a download page for Adobe Acrobat. Because it makes use of genuine software instead of conventional malware, this attack technique is successful. IT teams frequently use RMM tools to remotely manage computers. These same tools give attackers complete control over victim systems when they are installed.

The software can get around common security measures because it is digitally signed and trusted by the majority of antivirus programs. Researchers at SpiderLabs observed that persistent spam campaigns are being used by attackers to spread these malicious PDF documents. Victims install RMM tools, which allow threat actors to have continuous remote access to their systems, rather than downloading the actual Adobe software.

Attackers can maintain long-term access to compromised networks while blending in with regular IT activity by abusing trusted RMM software. To convey a sense of urgency, the campaign makes use of PDF attachments with names that sound urgent, such as "Invoice_Details.pdf" or "Defective_Product_Order.pdf." In reality, victims are installing remote access tools under the control of attackers, even though they think they must download software in order to view important documents.

Strategies for Infection Chain and Persistence When a victim receives an email containing a PDF attachment, the infection process starts. A phony error message stating that the content cannot be displayed appears when you open the document. After that, users are asked to click on a link that takes them to a page that mimics Adobe.

Installers for RMM programs like ScreenConnect, Syncro, NinjaOne, and SuperOps are available on this page. The RMM agent is silently installed on the victim's computer after the installer has finished running. The tool gives attackers complete remote access by instantly connecting to servers under their control. The attacker can then transfer files, control the keyboard and mouse, view the screen in real time, and keep access even after the system has restarted.

Security software hardly ever marks these tools as threats because they are made for proper IT management. Any RMM tools that are not authorized by their IT departments should not be downloaded or installed by organizations. Unauthorized remote access software can be found with the aid of endpoint detection and response solutions.

Preventing initial compromise still requires training staff to spot phishing emails and dubious PDF documents. Security teams should also block known malicious domains linked to these campaigns and keep an eye on network traffic for connections to unexpected RMM servers. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.