Signed, Sealed, Deceived: How Weaponized PDFs and Trusted IT Tools Are Fueling a New Wave of Cyber Intrusions

It begins with a seemingly routine email - an invoice, a product order, a payment issue. But hidden behind the professional veneer is a sophisticated cyber scheme, one that turns the very tools meant to protect businesses into silent accomplices. In a campaign uncovered by AhnLab Security Intelligence Center (ASEC), attackers are fusing weaponized PDF attachments with trusted Remote Monitoring and Management (RMM) software, forging a path past security barriers and into the heart of unsuspecting organizations.

Fast Facts

• Attackers are distributing malware via PDFs that mimic invoices and business documents.
• Malicious PDFs trick users into downloading RMM installers from fake Google Drive or Adobe pages.
• Legitimate RMM tools like Syncro, ScreenConnect, NinjaOne, and SuperOps are being abused as payload delivery vehicles.
• Malware installers are signed with valid certificates, making them harder to detect.
• The campaign has been active since at least October 2025, with evidence of coordinated threat actor operations.

Weaponizing Trust: The New Cybercrime Playbook

This campaign’s genius is in its subterfuge. By disguising malicious intent within the ordinary - PDFs labeled as financial documents - attackers exploit human curiosity and urgency. Once opened, these PDFs either display a convincing image urging the user to click a Google Drive link or throw up an error pointing to a fake Adobe site. Both routes funnel the victim to phishing pages that impersonate familiar cloud services, with files named to mimic innocuous media, like “Video_recorded_on_iPhone17.mp4.”

The real payload, however, is a legitimate RMM tool - software used by Managed Service Providers (MSPs) and IT teams to remotely control devices. Because these tools are commonly whitelisted by security systems, their installation raises few alarms. But in the wrong hands, they become powerful backdoors. The attackers go a step further, signing their installers with valid digital certificates and embedding unique configurations, suggesting a well-resourced and organized operation.

This is not the first time RMM tools have been co-opted by cybercriminals: Syncro has previously been used by ransomware gangs like Chaos and Royal, while ScreenConnect has featured in high-profile breaches linked to ALPHV/BlackCat and Hive. The difference now is the blending of social engineering (phishing PDFs) with technical trust (signed, legitimate software), making detection and prevention a far greater challenge.

ASEC’s investigation highlights the necessity of vigilance - especially regarding unsolicited attachments that reference financial matters or document errors. Organizations are urged to verify email authenticity, keep systems updated, and monitor for unusual RMM tool installations. Application allowlisting and behavioral monitoring may help catch these stealthy incursions before they escalate.

The Double-Edged Sword of IT Automation

As businesses increasingly rely on remote management to streamline operations, the tools they trust become prime targets for manipulation. This campaign is a stark reminder: in cybersecurity, yesterday’s trusted ally can become tomorrow’s Trojan horse. The line between legitimate utility and lethal threat has never been thinner.

WIKICROOK

• Remote Monitoring and Management (RMM): Remote Monitoring and Management (RMM) are IT tools that let professionals remotely control, monitor, and maintain computers - helpful for support, but risky if misused.
• Payload: A payload is the harmful part of a cyberattack, like a virus or spyware, delivered through malicious emails or files when a victim interacts with them.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Digital Certificate: A digital certificate is an electronic document that verifies the identity of websites or programs, helping ensure secure and trusted online communication.
• Allowlisting: Allowlisting is a security policy that permits only pre-approved software or users to access a system, blocking all others by default.