YIKES! Cybercriminals flood the Internet with 100,00 malicious PDF documents

Cybercriminals are resorting to search motor poisoning strategies to entice business gurus into seemingly genuine Google sites that install a Remote Accessibility Trojan (RAT) able of carrying out a broad selection of attacks.

The assault is effective by leveraging searches for small business kinds these types of as invoices, templates, questionnaires, and receipts as a stepping stone toward infiltrating the systems. Buyers attempting to down load the alleged document templates are redirected, without having their knowledge, to a malicious web page that hosts the malware.

password auditor

“As soon as the RAT is on the victim’s laptop or computer and activated, the threat actors can send out commands and upload extra malware to the infected program, these kinds of as ransomware, a credential stealer, a banking trojan, or basically use the RAT as a foothold into the victim’s network,” scientists from eSentire stated in a compose-up released on Tuesday.


The cybersecurity firm explained it uncovered about 100,000 special website web pages that include popular enterprise phrases or keywords and phrases this sort of as template, bill, receipt, questionnaire, and resume, therefore letting the web pages to be ranked larger on the research benefits, and for that reason, expanding the likelihood of achievement.

password auditor

When a victim lands on the attacker-controlled internet site and downloads the doc staying searched for, it will become an entry stage for much more refined threats, in the long run resulting in the installation of a .Net-primarily based RAT named SolarMarker (aka Yellow Cockatoo, Jupyter, and Polazert).

In one particular circumstance investigated by eSentire, which involved an employee of a financial administration enterprise, the malware executable was disguised as a PDF document that, when launched, deployed the RAT alongside with a legitimate variation of Trim PDF as a decoy.


“Another troubling aspect of this marketing campaign is that the SolarMarker group has populated many of their destructive web internet pages with key phrases relating to economic documents,” claimed Spence Hutchinson, eSentire’s manager of risk intelligence.

“A economical cybercrime group would look at an personnel, performing in the finance section of a corporation, or an staff, doing work for a fiscal corporation, a high benefit goal. Sadly, after a RAT is easily set up, the probable fraud functions are a lot of.”

Fibo Quantum