PDF threats are on the rise, with cybercriminals increasingly utilizing malware like WikiLoader, Ursnif [1] [2] [3] [4] [5] [6], and DarkGate to distribute malicious content through PDF documents [5] [6].


According to the latest HP Wolf Security report, there was a 7% increase in PDF threats in Q4 2023 compared to Q1 of the same year [6], with 11% of analyzed malware in Q4 2023 using PDFs as a delivery method [5] [6]. One notable example is a WikiLoader campaign that employed a fake parcel delivery PDF to trick users into installing Ursnif malware [1] [2] [6]. The DarkGate campaign has also been active, using ad tools to enhance attacks by sending malicious PDF attachments disguised as OneDrive error messages [1], ultimately infecting users with DarkGate malware [1]. A shift from macros to Office exploits has been observed [4], with a majority of attempted intrusions involving spreadsheets and Word documents to exploit vulnerabilities in Office applications [4]. However, macro-enabled attacks are still relevant, especially for deploying cheap commodity malware like Agent Tesla and XWorm [4]. Threat actors are now utilizing Discord and TextBin to host malicious files [4], leveraging legitimate file and text sharing websites to evade anti-malware scanners and increase chances of remaining undetected [4]. Cybercriminals are adapting to user behavior and refining their tactics [4], taking advantage of the design of popular cloud services to make fake error messages less alarming [4]. The emergence of GenAI, capable of generating convincing malicious content at minimal cost, will make distinguishing real from fake increasingly challenging [4]. To protect against these threats [5], organizations must follow zero trust principles and isolate risky activities like opening email attachments and clicking on links [5]. DarkGate operates as a malware-as-a-service [5], providing backdoor access to networks and exposing victims to data theft and ransomware risks [4] [5].


The increasing use of PDFs as a delivery method for malware poses a significant threat to organizations and individuals. To mitigate these risks, it is essential to follow zero trust principles and be cautious when opening email attachments or clicking on links. The evolving tactics of cybercriminals, such as the use of Discord and TextBin to host malicious files, highlight the need for constant vigilance and proactive security measures. As technology advances, the challenge of distinguishing real from fake content will only become more difficult, emphasizing the importance of staying informed and implementing robust cybersecurity strategies.


[1] https://securitymea.com/2024/02/16/hp-warns-of-rise-in-malicious-pdf-campaigns-and-office-exploits/
[2] https://betanews.com/2024/02/15/cyber-ad-versaries-adopt-professional-marketing-techniques/
[3] https://www.devdiscourse.com/article/technology/2831561-hp-warns-of-rise-in-malicious-pdf-campaigns-and-office-exploits
[4] https://press.hp.com/us/en/press-releases/2024/hp-wolf-security-q4-2023-threat-insights-report.html
[5] https://ciso2ciso.com/pdf-malware-on-the-rise-used-to-spread-wikiloader-ursnif-and-darkgate-source-www-infosecurity-magazine-com/
[6] https://www.infosecurity-magazine.com/news/pdf-malware-on-the-rise/