Cyber Security News

Hackers Mimic USPS To Deliver Malicious PDF In Attack Targeted Mobile Devices

In a detailed analysis published on January 27, 2025, Zimperium’s zLabs team uncovered a sophisticated phishing campaign targeting mobile devices through malicious PDF files.

Disguised as communications from the United States Postal Service (USPS), this campaign employs advanced social engineering and obfuscation tactics to steal user credentials and sensitive data.

The campaign reportedly spans more than 50 countries, underscoring the global scale of the threat.

PDF, a widely used enterprise file format, has become an unexpected avenue for cyberattacks due to its perceived safety.

Structure of the PDFStructure of the PDF
Structure of the PDF

Often considered immutable and trustworthy, PDF files are now exploited by attackers embedding malicious links and scripts.

Mobile devices, with their limited capacity to offer document previews and analyze embedded links, are particularly vulnerable.

Without robust on-device protections, enterprises risk exposing sensitive data to such threats.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Innovative Techniques in Obfuscation

Zimperium’s research uncovered over 20 malicious PDF files and 630 phishing pages linked to the campaign.

A novel deployment method was identified in the PDF files, where clickable elements were obscured by not using the conventional /URI tag for web links.

This deliberate choice allowed attackers to bypass detection mechanisms in many endpoint security solutions, while the same URLs embedded with standard tags were flagged as malicious.

Form to steal card info from the victim

The PDFs operated within a hierarchical structure of objects catalogs, pages, fonts, and external objects (XObjects) to create hidden links.

By employing deceptive attributes such as white text and layering clickable buttons over hidden elements, the attackers effectively obfuscated their actions within the files.

On select platforms like Chrome and macOS Preview, these tactics rendered the hidden links clickable, leading users to phishing websites.

The campaign further included a USPS-themed landing page designed to extract personal and payment information.

The data, encrypted using the Rabbit stream cipher, was transmitted to an attacker-controlled server while stored locally on the victim’s browser.

Multilingual support observed in the phishing pages suggests the use of a phishing kit capable of targeting users worldwide.

Zimperium highlights the efficacy of its Mobile Threat Defense (MTD) solutions in addressing such evolving threats.

Utilizing on-device AI-based detection, Zimperium’s solutions identify malicious PDFs and phishing links in real-time, even in offline environments.

This approach ensures privacy by conducting all analysis locally on the device, eliminating the need to upload sensitive content to the cloud.

By combining zero-day threat detection with robust AI algorithms, Zimperium empowers enterprises to safeguard sensitive data and workflows from PDF-based phishing campaigns and advanced exploit techniques.

The findings reinforce the importance of adopting sophisticated on-device defenses in combating the rapidly evolving landscape of mobile-based cyber threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

3 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 days ago