New Attack Mimics USPS To Deliver Malicious PDF In To Attack Mobile Devices

A sophisticated phishing campaign has been uncovered, leveraging malicious PDFs disguised as official U.S. Postal Service (USPS) communications to target mobile users.

This attack, identified by Zimperium’s zLabs team, employs a novel obfuscation technique to bypass traditional endpoint security measures and steal sensitive data, including credentials and payment information.

The campaign begins with SMS messages claiming undelivered USPS packages and includes an attached PDF file. The PDFs appear legitimate but contain hidden clickable elements that redirect users to phishing websites.

Fake SMS Received (Source – Zimperium)

These sites impersonate USPS pages, prompting victims to input personal details such as names, addresses, and credit card information under the guise of resolving delivery issues.

The attackers then encrypt the stolen data and transmit it to their servers.

Encrypted communication captured during the analysis (Source – Zimperium)

The malicious PDFs exploit the Portable Document Format’s (PDF) structure, which is composed of objects like strings, arrays, dictionaries, and streams.

Structure of the PDF (Source – Zimperium)

While the experts at Zimperium noted that the hyperlinks in PDFs are represented using a “Go-To-URI” action dictionary object with a “/URI” tag.

However, the attackers bypass this standard by embedding links within compressed stream objects. This unconventional method hides the URLs from both users and most endpoint security tools.

For example, the embedded links are hidden using white text or graphical overlays within the PDF content stream.

The attackers also split URLs across multiple objects to further evade detection. When opened on mobile devices, where visibility into file contents is limited—these techniques make the malicious links nearly undetectable.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Campaign Scale

The investigation revealed over 20 malicious PDFs and 630 phishing pages targeting organizations in more than 50 countries. This large-scale operation demonstrates the growing sophistication of phishing campaigns aimed at exploiting trusted brands like USPS.

Form displayed (Source – Zimperium)

Mobile platforms are particularly vulnerable due to their limited visibility into file metadata and content before opening.

Form to steal card info (Source – Zimperium)

Unlike desktop systems with robust email and file security measures, mobile devices often lack equivalent protections.

Cybercriminals exploit this gap by leveraging social engineering tactics that capitalize on users’ trust in official-looking documents.

To protect against such attacks, organizations and individuals should adopt layered security measures:

Verify Sender Details: Always confirm the legitimacy of messages claiming to be from USPS or other trusted entities.
Avoid Clicking on Links: Navigate directly to official websites or apps instead of interacting with embedded links.
Use Mobile Threat Defense Solutions: Advanced tools like Zimperium’s on-device AI-based detection can identify malicious PDFs in real-time.
Educate Users: Raise awareness about phishing tactics and encourage cautious behavior when handling unexpected files or messages.

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.