Fake Adobe Document Cloud Pages Push ScreenConnect Malware at Financial Firms

Fortra researchers have uncovered a phishing campaign that uses fake Adobe Document Cloud pages to install ScreenConnect remote access malware on victim systems. According to the Fortra RatPressto report, the campaign targets financial organizations with phishing emails that imitate secure document-sharing notifications.

The emails tell victims that a confidential project document has been uploaded through Adobe Document Cloud. The link does not lead to Adobe. It sends the user to a compromised WordPress site that hosts a fake Adobe-branded page and silently starts the malware delivery chain.

The campaign stands out because it does not rely on a custom backdoor at first. Instead, it abuses ScreenConnect, a legitimate remote support platform, to blend malicious remote access into normal enterprise software traffic.

What RatPressto Is

Fortra’s Intelligence and Research Experts team calls the phishing kit RatPressto because it combines WordPress-hosted phishing pages with a ScreenConnect-based remote access payload. The kit appears reusable, privately maintained, and designed for repeated deployment across compromised websites.

The phishing pages mimic trusted business workflows. They show Adobe-style branding, loading animations, and a “Download Complete” message that makes the victim think a secure file has already arrived. In reality, the page uses a hidden iframe to trigger the payload download in the background.

The lure works because Adobe document sharing is common in business environments. Adobe’s own support pages describe how users can share cloud documents and invite others to review files, which gives attackers a familiar workflow to impersonate.

How the Fake Adobe Page Delivers Malware

The attack starts with a phishing email that looks like a file-sharing alert. The message directs the victim to a compromised WordPress site where the RatPressto kit is installed.

Stage one shows the fake Adobe page and tells the user that the document download has completed. This keeps the victim focused on the visible page while the real payload action happens in the background.

Stage two uses a hidden iframe that points to a PHP delivery file. That file triggers the ScreenConnect installer download before the victim takes any meaningful action. The page then instructs the user to open the downloaded file manually.

Stage	What the Victim Sees	What Happens Behind the Scenes
Phishing email	A fake Adobe Document Cloud notification	The link sends the user to a compromised WordPress site
Fake Adobe page	A branded download page with a loading animation	The kit prepares the payload delivery flow
Hidden iframe	Instructions to open a downloaded file	The ScreenConnect installer download starts silently
Installer execution	A business-themed file name	The system connects to attacker-controlled infrastructure

ScreenConnect Abuse Makes the Campaign Harder to Spot

ScreenConnect is a legitimate remote support and access tool used by IT teams. Its official site describes unattended access as a way to maintain always-on access to managed devices, which helps explain why attackers want to abuse it after phishing a user.

In this campaign, the attacker uses ScreenConnect as a remote access channel after the victim runs the installer. Fortra reported a self-hosted command-and-control server at cloud.zistopstoabetterlife.com on TCP port 8041.

This type of abuse fits the broader MITRE ATT&CK category for legitimate remote access tools. The MITRE ATT&CK T1219 entry notes that adversaries can use remote access software to establish interactive command-and-control sessions inside victim networks.

Compromised WordPress Sites Help the Kit Scale

Fortra found the kit deployed across multiple compromised WordPress sites. Several had publicly reachable wp-admin pages, which suggests the attacker may have used stolen credentials, weak administrator security, or vulnerable plugins to upload the phishing files.

The kit files followed a repeatable pattern. Investigators observed files such as download.html, complete.php, and download.php placed inside WordPress-accessible directories. Some deployments also included Elementor metadata and Yoast SEO remnants, which suggests the kit was embedded into otherwise normal WordPress content structures.

WordPress site owners should review the official WordPress hardening guidance, restrict access to administrative interfaces where possible, and require stronger authentication for admin accounts.

Why the Campaign Targets Financial Organizations

Financial firms handle documents that often require urgent review, approval, and secure sharing. A fake document cloud notification can fit naturally into daily work, especially when the file name matches a real company, investment, project, or client.

Fortra said the campaign uses victim-specific file naming. One observed payload used a business-themed name such as CapraAssetManagementInc.vbs, making the download look tied to the target’s own business context.

Once ScreenConnect runs, attackers may gain remote control of the device and access sensitive data. This can support credential theft, data exfiltration, internal reconnaissance, and follow-on compromise.

Known Infrastructure and Payload Clues

Type	Indicator	Description
Domain	cloud.zistopstoabetterlife[.]com	Self-hosted ScreenConnect command-and-control server on port 8041
Domain	ampliawifi[.]com	Actor-controlled WordPress deployment
Domain	gaheempreendimentos[.]com	Actor-controlled Cloudflare-protected deployment
Domain	iconclinic[.]ae	Compromised WordPress site with exposed wp-admin
Domain	vetcarebd[.]xyz	Compromised payload delivery host
Domain	nabellacouture[.]com	Compromised payload delivery host
IP address	177.154.191[.]148	São Paulo infrastructure linked to the campaign
File	ScreenConnect.ClientSetup.msi	ScreenConnect installer payload
File	microsoftceo.exe	Reported malicious dropper executable
GitHub account	creativebobo	Payload staging repositories observed in the campaign

What Defenders Should Monitor

Security teams should look for unexpected ScreenConnect installations, especially when msiexec launches from temporary folders or user download paths. A sudden outbound connection to TCP port 8041 should also receive attention when the organization does not use self-hosted ScreenConnect infrastructure.

Teams can also map this activity to remote access software abuse in MITRE ATT&CK. That helps detection teams write rules around unusual remote administration software, rather than only searching for classic malware files.

• Unexpected ScreenConnect.ClientSetup.msi downloads
• msiexec activity launched from temporary or user-controlled directories
• Outbound traffic to port 8041 from non-IT systems
• New remote access services installed without approval
• Phishing pages hosted under WordPress paths
• Publicly exposed wp-admin panels on business websites
• Suspicious VBS files named after the victim organization
• Batch scripts that delete themselves after execution

How Organizations Can Reduce the Risk

Enterprises should train users to treat document-sharing emails with caution, even when they appear to use familiar branding. A real Adobe file-sharing flow should come from known Adobe domains, and users should avoid running downloaded installers to view a shared document.

Adobe’s help pages show that legitimate shared documents can appear in Adobe apps and shared document views. Users who receive unexpected document notifications should verify them through the official Adobe cloud document sharing workflow instead of following links from suspicious emails.

WordPress administrators should patch plugins, remove unused themes, limit admin exposure, and enforce multi-factor authentication. The WordPress hardening handbook also recommends basic security measures that reduce the chance of a site becoming a phishing host.

ScreenConnect Controls Need Extra Review

Organizations that legitimately use ScreenConnect should maintain a list of approved servers, agents, certificates, and installer names. Any installer that does not match that baseline should trigger review.

The official ScreenConnect unattended access page describes how access agents can keep persistent remote connections to devices. That same persistence explains why unauthorized installations need immediate investigation.

Security teams should block known malicious infrastructure, review remote access software policies, and alert when remote administration tools appear on systems that do not normally need them.

The Bottom Line

RatPressto shows how attackers can combine phishing, compromised WordPress sites, and legitimate remote access software into a convincing enterprise attack. The fake Adobe page distracts the user, while the hidden iframe and installer create a path to remote control.

The strongest defenses are simple but important: verify document-sharing emails, lock down WordPress admin access, monitor remote access software, and investigate unexpected ScreenConnect activity before attackers use it to move deeper into the network.

FAQ