Zimperium has released new threat research exposing a growing wave of mobile-targeted phishing attacks that weaponise PDF documents delivered via SMS and MMS.

The findings reveal how threat actors are exploiting user trust in PDFs and gaps in mobile security controls to harvest credentials and sensitive data at scale.

According to Zimperium’s zLabs research team, attackers are increasingly using PDFs as a delivery mechanism for mobile phishing—often referred to as mishing—because the format appears legitimate, is widely used in business communications, and frequently bypasses traditional email- and network-based defences. When combined with the immediacy of text messaging, these campaigns are proving highly effective.

The research details two active campaigns demonstrating the sophistication and speed of modern mobile attacks. One targeted users of EZDriveMA, Massachusetts’ electronic tolling system, using SMS messages with malicious PDF attachments.

Attackers rapidly generated more than 2,100 phishing domains using automated techniques to evade blocklists. Zimperium detected and classified these domains with 98.46% accuracy, often hours or days before they appeared on public phishing databases.

A second campaign impersonated PayPal using a fake cryptocurrency invoice delivered via PDF, combining phishing links with voice-based social engineering.

The attack relied on direct IP addresses, URL obfuscation, and disposable VoIP numbers to evade detection. Zimperium identified and blocked the malicious infrastructure more than 27 hours before it was publicly recognised—highlighting a critical exposure window for organisations relying on reactive security controls.

“These campaigns show how quickly attackers are shifting to mobile channels and trusted file formats to stay ahead of traditional defences,” said Pablo Morales, security researcher at Zimperium. “PDFs sent over SMS create a dangerous blind spot, especially when security tools don’t inspect files at the device level.

“Detection speed is now the difference between stopping an attack and responding after credentials are stolen.”

Zimperium’s research underscores a broader trend: cybercriminals are prioritising mobile as part of a mobile-first attack strategy, leveraging zero-day infrastructure and social engineering to reach users where protections are weakest.

PDF-based phishing often bypasses email gateways, reputation-based filters, and cloud-only defences, leaving organisations exposed during the most critical early stages of an attack.

Zimperium protects against these threats by analysing malicious PDFs and embedded links directly on the device, in real time, regardless of how the file is delivered—SMS, email, QR code, or web.

This on-device approach enables early detection of both known and zero-day attacks without sending sensitive documents to the cloud.

The full research report, PDF Phishing: The Hidden Mobile Threat, includes detailed analysis of both campaigns and guidance for organisations looking to close mobile security gaps.

To read more Zimperium news, click here.