Connect with us

Hi, what are you looking for?


Malware & Threats

Adobe Acrobat Sign Abused to Distribute Malware

Cybercriminals are abusing the Adobe Acrobat Sign service in a campaign distributing the RedLine information stealer malware.

Cybercriminals have been observed abusing Adobe’s Acrobat Sign service to deliver emails leading to a RedLine stealer infection, cybersecurity firm Avast warns.

Acrobat Sign is a cloud service that allows registered users to sign, send, and track documents in real-time, as well as to send signature requests to anyone.

When a signature request is sent, Acrobat Sign automatically generates and sends an email to the recipient, with a link to the document, which can be a PDF, Word, HTML, or another file type.

Given that the message is sent from a legitimate Adobe email address and the document for which the signature request is sent is hosted on Adobe’s servers, the message bypasses any protections that the victim might have in place.

Acrobat Sign also allows the sender to add text to that email, and cybercriminals are abusing this feature to lure unsuspecting recipients into downloading malware.

As part of the observed attack, threat actors sent signature requests for documents that contain a link to a CAPTCHA page that in turn would take the victim to the download page for a ZIP file containing the RedLine stealer.

First seen in early 2020, RedLine can harvest and exfiltrate system information, along with data typically saved in browsers, such as steal credentials, credit card data, and crypto wallet information. 

Advertisement. Scroll to continue reading.

Displaying a fake notice of copyright infringement, the document analyzed by Avast was specifically created to target the owner of a popular YouTube channel. However, the intended victim realized that the document might not be legitimate and did not click the link.

A few days later, the attackers targeted the recipient again, this time with a request that also included a link to a page hosted on, another document signing service.

If the recipient clicked on the link to review and sign the document, they were once again taken to Adobe and presented with the same document as before. A link included in the page would take the intended victim to the same CAPTCHA page.

In addition to the RedLine stealer, the ZIP archive used in the second attack included some benign video game executables.

Likely in an attempt to bypass antivirus engines, the attackers artificially increased the size of both malware samples to over 400 megabytes.

“This abuse of Adobe Acrobat Sign to distribute malware is a new technique used by attackers that’s targeted to a specific victim. Our team has yet to detect other attacks using this technique; nevertheless, we fear that it may become a popular choice for cybercriminals in the near future. This is because it may be able to avoid different anti-malware filters, which increases its chances of reaching the victims,” Avast concludes.

Related: Microsoft OneNote Abuse for Malware Delivery Surges

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...