In a detailed analysis published on January 27, 2025, Zimperium’s zLabs team uncovered a sophisticated phishing campaign targeting mobile devices through malicious PDF files.
Disguised as communications from the United States Postal Service (USPS), this campaign employs advanced social engineering and obfuscation tactics to steal user credentials and sensitive data.
The campaign reportedly spans more than 50 countries, underscoring the global scale of the threat.
.png
)
PDF, a widely used enterprise file format, has become an unexpected avenue for cyberattacks due to its perceived safety.
Often considered immutable and trustworthy, PDF files are now exploited by attackers embedding malicious links and scripts.
Mobile devices, with their limited capacity to offer document previews and analyze embedded links, are particularly vulnerable.
Without robust on-device protections, enterprises risk exposing sensitive data to such threats.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Innovative Techniques in Obfuscation
Zimperium’s research uncovered over 20 malicious PDF files and 630 phishing pages linked to the campaign.
A novel deployment method was identified in the PDF files, where clickable elements were obscured by not using the conventional /URI tag for web links.
This deliberate choice allowed attackers to bypass detection mechanisms in many endpoint security solutions, while the same URLs embedded with standard tags were flagged as malicious.
The PDFs operated within a hierarchical structure of objects catalogs, pages, fonts, and external objects (XObjects) to create hidden links.
By employing deceptive attributes such as white text and layering clickable buttons over hidden elements, the attackers effectively obfuscated their actions within the files.
On select platforms like Chrome and macOS Preview, these tactics rendered the hidden links clickable, leading users to phishing websites.
The campaign further included a USPS-themed landing page designed to extract personal and payment information.
The data, encrypted using the Rabbit stream cipher, was transmitted to an attacker-controlled server while stored locally on the victim’s browser.
Multilingual support observed in the phishing pages suggests the use of a phishing kit capable of targeting users worldwide.
Zimperium highlights the efficacy of its Mobile Threat Defense (MTD) solutions in addressing such evolving threats.
Utilizing on-device AI-based detection, Zimperium’s solutions identify malicious PDFs and phishing links in real-time, even in offline environments.
This approach ensures privacy by conducting all analysis locally on the device, eliminating the need to upload sensitive content to the cloud.
By combining zero-day threat detection with robust AI algorithms, Zimperium empowers enterprises to safeguard sensitive data and workflows from PDF-based phishing campaigns and advanced exploit techniques.
The findings reinforce the importance of adopting sophisticated on-device defenses in combating the rapidly evolving landscape of mobile-based cyber threats.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
