RatPressto Phishing Campaign Uses Fake Adobe Document Cloud Pages to Deploy ScreenConnect Malware
Fortra's FIRE team uncovered a phishing campaign dubbed RatPressto that targets financial organizations with fake Adobe Document Cloud pages hosted on compromised WordPress sites to silently install ScreenConnect remote access malware.
A sophisticated phishing campaign is actively targeting financial organizations by using fake Adobe Document Cloud pages to silently install ScreenConnect remote access malware on victim machines. The operation is well-structured, deceptive, and difficult to detect because it blends into everyday enterprise software activity.
The campaign works by sending phishing emails that look like legitimate Adobe Document Cloud file-sharing notifications. Victims are told a confidential project document has been uploaded to Adobe Document Cloud and are given a link to view it. That link leads to a compromised WordPress website hosting a convincing fake Adobe page designed to trick users into triggering a malware download without realizing it.
Researchers from Fortra's Intelligence and Research Experts (FIRE) team identified the phishing kit behind this operation and named it "RatPressto." Fortra said in a report shared with Cyber Security News that the kit is reusable, privately maintained, and engineered to maximize victim trust while minimizing security detection. The campaign is assessed with medium confidence to originate from a Brazilian threat actor, based on infrastructure tied to São Paulo.
What makes this campaign stand out is how it uses legitimate software to stay under the radar. Rather than deploying custom malware, the attacker abuses ScreenConnect, a widely used remote administration tool, to gain full control of infected machines. Blending malicious activity into normal business software traffic makes it far harder for standard security tools to raise an alarm.
The RatPressto kit operates in two stages designed to keep the victim distracted while the malware installs itself silently. Stage one presents the victim with a convincing fake Adobe page showing a "Download Complete" message, complete with Adobe branding and a loading animation. This page has one purpose: buy time while the real action happens in the background. That background action is stage two, where a hidden iframe silently triggers the download of a ScreenConnect installer.
Once the installer runs, ScreenConnect is installed quietly with no visible interface, and the infected machine connects back to a self-hosted command-and-control server at cloud.zistopstoabetterlife.com on port 8041. The attacker stages additional payloads through GitHub repositories under the account "creativebobo," and uses heavily obfuscated batch scripts that delete themselves after execution to clean up traces.
A key part of this campaign is the abuse of poorly secured WordPress websites to host the phishing kit. Investigators found that multiple compromised sites had publicly exposed WordPress admin interfaces, meaning the attacker likely used stolen credentials or exploited vulnerable plugins to gain access and upload the phishing files directly. The consistency of this pattern across many unrelated websites strongly suggests that compromising WordPress admin panels is a deliberate step in the attacker's deployment process.
Organizations are advised to audit their WordPress environments for exposed admin interfaces and disable public access to wp-admin where possible. Enforcing multi-factor authentication on all WordPress administrator accounts, blocking known malicious infrastructure, and hunting for unauthorized ScreenConnect installations are strongly recommended steps. Network defenders should also alert on outbound connections to TCP port 8041 and watch for msiexec processes launched from temporary directories, as both are reliable indicators of this infection chain in action.