Cyber Security News

Hackers Mimic USPS To Deliver Malicious PDF In Attack Targeted Mobile Devices

In a detailed analysis published on January 27, 2025, Zimperium’s zLabs team uncovered a sophisticated phishing campaign targeting mobile devices through malicious PDF files.

Disguised as communications from the United States Postal Service (USPS), this campaign employs advanced social engineering and obfuscation tactics to steal user credentials and sensitive data.

The campaign reportedly spans more than 50 countries, underscoring the global scale of the threat.

PDF, a widely used enterprise file format, has become an unexpected avenue for cyberattacks due to its perceived safety.

Structure of the PDFStructure of the PDF
Structure of the PDF

Often considered immutable and trustworthy, PDF files are now exploited by attackers embedding malicious links and scripts.

Mobile devices, with their limited capacity to offer document previews and analyze embedded links, are particularly vulnerable.

Without robust on-device protections, enterprises risk exposing sensitive data to such threats.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Innovative Techniques in Obfuscation

Zimperium’s research uncovered over 20 malicious PDF files and 630 phishing pages linked to the campaign.

A novel deployment method was identified in the PDF files, where clickable elements were obscured by not using the conventional /URI tag for web links.

This deliberate choice allowed attackers to bypass detection mechanisms in many endpoint security solutions, while the same URLs embedded with standard tags were flagged as malicious.

Form to steal card info from the victim

The PDFs operated within a hierarchical structure of objects catalogs, pages, fonts, and external objects (XObjects) to create hidden links.

By employing deceptive attributes such as white text and layering clickable buttons over hidden elements, the attackers effectively obfuscated their actions within the files.

On select platforms like Chrome and macOS Preview, these tactics rendered the hidden links clickable, leading users to phishing websites.

The campaign further included a USPS-themed landing page designed to extract personal and payment information.

The data, encrypted using the Rabbit stream cipher, was transmitted to an attacker-controlled server while stored locally on the victim’s browser.

Multilingual support observed in the phishing pages suggests the use of a phishing kit capable of targeting users worldwide.

Zimperium highlights the efficacy of its Mobile Threat Defense (MTD) solutions in addressing such evolving threats.

Utilizing on-device AI-based detection, Zimperium’s solutions identify malicious PDFs and phishing links in real-time, even in offline environments.

This approach ensures privacy by conducting all analysis locally on the device, eliminating the need to upload sensitive content to the cloud.

By combining zero-day threat detection with robust AI algorithms, Zimperium empowers enterprises to safeguard sensitive data and workflows from PDF-based phishing campaigns and advanced exploit techniques.

The findings reinforce the importance of adopting sophisticated on-device defenses in combating the rapidly evolving landscape of mobile-based cyber threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score of…

2 hours ago

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux, and…

2 hours ago

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security Features…

2 hours ago

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed in…

2 hours ago

Radware Cloud Web App Firewall Flaw Allows Attackers to Bypass Security Filters

Security researchers have uncovered two critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that…

2 hours ago

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake calls…

3 hours ago