Rise in Deceptive PDF: The Gateway to Malicious Payloads

McAfee Labs observed a surge in PDF-based delivery of Agent Tesla where malicious PDFs (or embedded JS) lead victims to download obfuscated JavaScript that spawns PowerShell to fetch a large, obfuscated atom.ps1; that script decrypts and loads .NET components which perform AMSI bypass, process injection into legitimate executables (e.g., RegSvcs.exe) to run Agent Tesla, harvest credentials/browser data, exfiltrate via Telegram bots, and establish persistence via scheduled tasks and Run keys. The report includes technical analysis, process trees, persistence artifacts, and hashes/URLs/IPs as IOCs.