zLabs researchers have uncovered a troubling shift in mobile phishing attacks: cybercriminals are increasingly weaponizing PDF documents sent through SMS and MMS. It's a surprisingly effective approach—people tend to trust messages on their phones, and PDFs feel legitimate. Threat actors have taken note of the lack of protection on most mobile devices, coupled with user’s lowered vigilance, and have prioritized these ‘mobile-first’ attacks to gain access to both enterprise and personal confidential data.
We examined two campaigns that show just how sophisticated these attacks have become. The first went after EZDriveMA users (Massachusetts' electronic tolling system) and demonstrated impressive technical coordination. Using Domain Generation Algorithms, the attackers spun up roughly 2,145 phishing domains in rapid succession. Zimperium’s on-device AI caught these threats with 98.46% accuracy, often flagging malicious domains within hours of their creation—well before third-party vendors caught on.
The second campaign took a different approach, impersonating PayPal with a fake cryptocurrency invoice that served as bait for a dual-pronged attack—combining phishing links with voice-based social engineering (vishing). To evade detection, attackers relied on direct IP addressing and URL obfuscation, effectively sidestepping reputation-based filters. We caught this threat more than 27 hours before it surfaced on public phishing databases—a critical gap that left users exposed who were solely dependent on traditional security solutions.
Mishing attacks—mobile-targeted phishing—represent a significant evolution in cybercriminal tactics. As most organizations have become dependent on the flexibility and productivity provided by mobile, threat actors have taken note, pairing social engineering techniques with mobile-specific vulnerabilities. Leveraging channels like SMS/MMS messaging, these campaigns exploit the inherent trust users place in text communications to deliver malicious content directly to mobile devices.
Among the various payloads delivered through mishing campaigns, PDF files have emerged as one of the most effective weapons in cybercriminals' arsenals. These seemingly innocent documents serve as a sophisticated delivery mechanism, exploiting users' trust in legitimate document sharing, particularly in the workplace. Unlike traditional email-based phishing that security teams and email providers have learned to identify, PDF-based attacks leverage the universal acceptance of this file format across both personal and professional contexts, making them particularly dangerous in today's mobile-first work environment.
SMS/MMS messaging provides a direct way to circumvent conventional security measures. Text messages are typically viewed within minutes of receipt, creating a sense of urgency that attackers exploit. This combination of immediacy and trust makes SMS/MMS an ideal distribution channel for PDF-based phishing attacks, allowing threat actors to reach users when they are most vulnerable and least protected by enterprise security infrastructure.
PDF documents present unique advantages for threat actors seeking to bypass traditional security measures. Their widespread use in business communications means users rarely question receiving them, while their complex internal structure allows attackers to craft complex attacks, embed malicious links, scripts, and redirects that often evade signature-based detection systems.
Mobile devices are particularly attractive targets for PDF-based attacks due to their smaller screens that make suspicious links and URLs harder to scrutinize and verify before interaction. Additionally, PDFs can be crafted to appear legitimate through professional formatting, official-looking logos, and convincing content that mimics trusted organizations.
Distribution methods for malicious PDFs vary widely, from direct email attachments and SMS messages to hosting on compromised legitimate websites. This multi-vector approach allows attackers to cast wide nets while maintaining plausible deniability about their malicious intent.
At the same time, hiding a phishing link inside of a document provides a layer of obfuscation. While it is slightly common today to provide SMS filtering capabilities, most solutions don’t extend the analysis to files distributed by this means.
Traditional cybersecurity solutions struggle with PDF-based threats for several reasons. The format's binary structure and support for multiple encoding schemes allow attackers to obfuscate malicious URLs and content in ways that evade traditional text-based analysis. Unlike plain HTML phishing pages, PDFs can embed links within complex object hierarchies, use JavaScript for dynamic redirects, and employ compression that masks the true destination of embedded URLs until the document is fully rendered.
AI and machine learning models face additional difficulties analyzing PDF phishing attempts. These systems must first decode the PDF's internal structure before they can identify suspicious patterns—a process far more complex than analyzing a simple web page. Phishing URLs embedded as clickable text or buttons may appear legitimate in the document structure but redirect to credential harvesting sites.
A sophisticated PDF-based phishing campaign targeting EZDriveMA (Massachusetts' electronic tolling system) users has been identified, demonstrating the ongoing evolution of cybercriminal tactics. This campaign exemplifies how attackers leverage PDF documents to harvest credentials through carefully crafted social engineering attacks.
This research expands upon previously documented EZDriveMA-targeted campaigns, which have primarily utilized SMS-based phishing (smishing) approaches targeting drivers with fake toll payment notifications. The identified PDF-based attack vector represents a tactical evolution from these traditional text-based methods, adding sophistication through document attachments that may bypass conventional anti-phishing measures.
EZDriveMA serves as a high-impact target due to its role as Massachusetts' electronic tolling system, operating on major highways, bridges, and tunnels throughout the state. The system's large user base and the inherent trust users place in toll payment notifications make it particularly susceptible to social engineering attacks, as drivers can easily be convinced they owe unpaid toll fees that could result in debt collection measures or, at worst, fines and criminal penalties.
The attack begins with users receiving text messages containing malicious PDF attachments designed to mimic official EZDriveMA communications. These documents contain embedded links that redirect victims to credential harvesting websites hosted on rapidly rotating domains. What makes this campaign of particular interest is the speed at which attackers deploy new infrastructure to stay ahead of traditional security measures. This suggests the usage of advanced automation and potentially AI to generate the content and domains. Between February and April, attackers created approximately 2,145 new domains across different TLDs, the vast majority of which were concentrated in .xin, .top, and .vip.
Domain creation is dominated by two specific prefixes, strongly indicating a Domain Generation Algorithm (DGA) or automated scripting to evade blocking.
Combined, these two families account for over 86% of the total dataset
The campaign follows a three-stage attack pattern that our threat intelligence team documented:
Stage 1: Initial Contact - Victims receive text messages with an attached PDF. This message aims to prompt immediate action.
Stage 2: Document Interaction - When users open the PDF, they encounter professionally formatted content that mimics legitimate EZDriveMA communications, with official-looking formatting designed to build trust and encourage link interaction.
Stage 3: Credential Harvesting - Embedded links redirect users to convincing replica websites that capture login credentials, billing information, and personal data. These sites are hosted on the rapidly rotating domain infrastructure identified in our analysis.
As mentioned before, new domains to perform this attack are spawned in rapid succession. This renders the traditional blocklist approach useless. Therefore, this campaign demonstrates the critical importance of advanced threat detection capabilities. Demonstrating this precision, our algorithms classified 2145 new domains as phishing with a 98.46% accuracy rate. This detection success stems from a dual approach: Zimperium’s on-device machine learning models, which protect our active clients in real-time after the first encounter, and our proactive classification of newly created domains, which identify infrastructure threats often before they target a specific device.
The tables below detail these detections, showcasing Zimperium's ability to identify threats days or hours before these domains are added to the list most used by the industry.
Detections identified directly on client devices via behavioral analysis.
|
Domain |
Internal First Seen |
3rd Party Detection |
Zimperium Lead Time |
|
paytollgbju[.]xin |
3/5/2025 0:57:03 |
3/8/2025 1:14:46 |
3 days, 0 hr, 17 min |
|
paytollaqr[.]vip |
2/13/2025 12:22:13 |
2/15/2025 19:18:50 |
2 days, 6 hr, 56 min |
|
paytolloxc[.]vip |
2/25/2025 17:56:06 |
2/26/2025 1:15:15 |
7 hr, 19 min |
|
paytolluif[.]vip |
2/19/2025 19:15:38 |
2/20/2025 1:17:07 |
6 hr, 1 min |
|
paytolltng[.]top |
2/9/2025 22:22:05 |
2/10/2025 0:11:02 |
1 hr, 49 min |
|
ezdrivema-com-yhvui[.]top |
3/1/2025 0:34:46 |
3/1/2025 1:13:18 |
38 min |
Detections identified proactively after analysing newly created domains
|
Domain |
Internal First Seen |
3rd Party Detection |
Zimperium Lead Time |
|
paytollgbju[.]xin |
3/5/2025 0:57:03 |
3/8/2025 1:14:46 |
3 days, 0 hr, 17 min |
|
paytollafn[.]top |
2/6/2025 12:40:38 |
2/9/2025 8:16:56 |
2 days, 19 hr, 36 min |
|
paytollkqw[.]vip |
2/8/2025 22:27:28 |
2/11/2025 10:19:57 |
2 days, 11 hr, 52 min |
|
paytollozb[.]top |
2/8/2025 10:16:35 |
2/10/2025 2:11:15 |
1 day, 15 hr, 54 min |
|
paytollwsd[.]top |
2/9/2025 9:49:51 |
2/11/2025 0:42:27 |
1 day, 14 hr, 52 min |
|
paytollozd[.]top |
2/8/2025 10:16:59 |
2/10/2025 0:00:00 |
1 day, 13 hr, 43 min |
|
paytolljoi[.]top |
2/8/2025 11:00:18 |
2/9/2025 17:30:04 |
1 day, 6 hr, 29 min |
|
pbjixedr[.]top |
2/10/2025 12:14:00 |
2/11/2025 8:21:27 |
20 hr, 7 min |
|
paytolljybk[.]top |
2/10/2025 11:04:03 |
2/11/2025 1:47:28 |
14 hr, 43 min |
|
paytollozh[.]top |
2/8/2025 10:17:44 |
2/9/2025 0:11:25 |
13 hr, 53 min |
|
paytollubf[.]top |
2/9/2025 10:29:55 |
2/10/2025 0:11:03 |
13 hr, 41 min |
|
paytollxjh[.]top |
2/8/2025 10:59:02 |
2/9/2025 0:00:00 |
13 hr, 0 min |
|
paytollzsc[.]top |
2/10/2025 9:07:21 |
2/10/2025 21:51:10 |
12 hr, 43 min |
|
paytolloxd[.]vip |
2/25/2025 13:30:43 |
2/26/2025 1:58:47 |
12 hr, 28 min |
|
edcvbgtyhn[.]top |
2/8/2025 11:48:19 |
2/9/2025 0:11:26 |
12 hr, 23 min |
|
paytollzsb[.]top |
2/10/2025 9:07:16 |
2/10/2025 21:26:33 |
12 hr, 19 min |
|
paytollzvd[.]top |
2/11/2025 12:37:11 |
2/12/2025 0:10:22 |
11 hr, 33 min |
|
paytollagh[.]vip |
2/22/2025 10:50:31 |
2/22/2025 20:02:47 |
9 hr, 12 min |
|
paytolltzv[.]top |
2/9/2025 11:59:57 |
2/9/2025 20:41:17 |
8 hr, 41 min |
|
paytollbym[.]top |
2/9/2025 9:50:41 |
2/9/2025 18:22:21 |
8 hr, 31 min |
|
onijqwdc[.]top |
2/10/2025 12:13:18 |
2/10/2025 16:37:42 |
4 hr, 24 min |
In addition to campaigns targeting state services, we have identified a phishing operation impersonating PayPal to steal personal and financial information. This attack demonstrates a "dual-lure" tactic, combining the urgency of a cryptocurrency transaction with a credential harvesting page disguised as a live support service.
The attack begins with users receiving SMS communications containing a PDF attachment designed to mimic an official PayPal invoice. The document claims a fake payment of $480.11 USD for a Bitcoin (BTC) purchase to create panic. The PDF contains malicious links and phone numbers that redirect victims to credential harvesting operations, offering two distinct attack vectors (digital and voice) to maximize success.
Our analysis revealed an attack infrastructure utilizing URL obfuscation, direct IP addressing, and disposable VoIP lines to evade detection:
The campaign follows a three-stage attack pattern that our threat intelligence team documented through comprehensive analysis:
1. Stage 1: Initial Contact and Panic: Victims receive a text message with an attached PDF. The document is designed to look like an urgent Bitcoin purchase confirmation, creating panic to prompt immediate action.
2. Document Interaction and Vector Selection: When users open the PDF, they encounter well-formatted content that mimics legitimate PayPal communications. The document urges the user to "contact support" to cancel the transaction, offering two vectors: a link to a "live help chat" (Vector A) and a phone number (Vector B).
Upon clicking, victims are not directed to PayPal's infrastructure, but instead redirected to:
http://146[.]70[.]41[.]215:81/join[.]aspx?linkid=b3ed9a64-3046-47c9-b69c-5075c8ac3b0b
The landing page presents a convincing "Join the Chat" interface designed to mimic legitimate customer support portals. Believing they are about to communicate with a PayPal agent, victims willingly enter their name and email—credentials that are instantly exfiltrated to attacker-controlled infrastructure, marking the beginning of their compromise.
This case is a critical example of a zero-day threat where detection speed is the decisive factor for protection. The attacker's infrastructure was identified and blocked by Zimperium long before it became public knowledge or was cataloged by other security tools.
The timeline analysis is stark: Zimperium detected https://urlzs[.]com/A03SrG the threat more than 27 hours before other public phishing lists.
This detection gap of more than a day is the period of greatest risk for victims. By the time other signature-based solutions began to recognize the URL as malicious, the attackers had already had a full day to steal credentials unopposed. This highlights the ineffectiveness of reactive detection methods against attacks using new, fast-rotating infrastructure and validates the need for on-device machine learning (ML) analysis.
PDF-based phishing and malware represent a growing blind spot in mobile security—often bypassing email gateways, network controls, and cloud-only defenses. Zimperium Mobile Threat Defense closes this gap by detecting malicious PDFs and embedded phishing links directly on the device, in real time, regardless of delivery channel—email, SMS, QR code, or web. By analyzing PDFs locally on the device, Zimperium protects users from advanced threats while preserving the privacy of sensitive document content—eliminating the need to send files to the cloud and ensuring enterprises maintain full control over where their data goes.
The evolution of PDF-based phishing attacks represents a significant challenge for organizations seeking to protect employees who rely on mobile devices, as well as their digital assets. Traditional security approaches that rely on signature-based detection and network-level filtering are insufficient against modern mobile threats that leverage zero-day infrastructure and sophisticated social engineering techniques.
The EZDriveMA and PayPal Mimic campaigns analyzed in this report demonstrate how quickly threat actors can deploy new infrastructure and adapt their tactics to evade traditional security measures. Success in defending against these threats requires security solutions that can match the speed and sophistication of modern attack campaigns.
Zimperium's mobile threat defense (MTD) provides critical protection early in the attack chain, intercepting threats at the initial point of contact before they can establish persistence on mobile devices. By combining advanced AI, real-time threat intelligence, and mobile-optimized detection capabilities, Zimperium enables organizations to stay ahead of evolving PDF-based phishing campaigns and protect their users from both known and zero-day threats.
In an era where mobile devices serve as a primary computing platform for both personal and professional activities, comprehensive mobile security that can effectively counter PDF-based attacks is not just recommended—it's essential for organizational security and business continuity.