Foxit Impersonation: Fake PDF Installer Deploys VNC
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.
AI Analysis
Technical Summary
Attackers distribute trojanized installers impersonating Foxit PDF Reader, leveraging its trusted reputation to bypass user suspicion. These installers present decoy images while downloading malicious MSI packages that install UltraVNC remote access software disguised as GPU drivers. The malware achieves persistence through registry modifications and firewall rule changes, connecting to attacker-controlled infrastructure for full remote system control. This campaign uses social engineering and brand impersonation instead of exploiting technical vulnerabilities. Telemetry shows broad distribution in multiple countries. No CVE or known exploits in the wild are reported. Indicators include multiple file hashes and URLs associated with the malicious infrastructure.
Potential Impact
The impact includes unauthorized remote access and control of infected systems, persistence on the victim machines, and potential data compromise or further malicious activity. Since the attack does not exploit software vulnerabilities but relies on user deception, the risk depends heavily on user interaction with the fake installers. The campaign affects users in Germany, the United States, the United Kingdom, and Ukraine, indicating a broad geographic reach.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat as it does not exploit a software vulnerability but relies on social engineering and brand impersonation. Mitigation focuses on user awareness to avoid executing suspicious installers, verifying software sources, and blocking known malicious URLs and file hashes through endpoint protection and network defenses. Organizations should monitor for the listed indicators of compromise and restrict installation privileges to prevent unauthorized software execution.
Affected Countries
Germany, United States, United Kingdom, Ukraine
Indicators of Compromise
- hash: 8e4aca0e510ea932b616f77d767ca5a9
- hash: d6829f4abe09dba254d560f91f56f83b
- hash: 72230761f27a0d8482c795b1101887cac7acb9d8
- hash: e067eac14eafde7ccd99f83ec21fa09a6cfe601a
- hash: 08b9cbdae903faf88b8027a12eee29265ff9b192b63aaa371d3d095b8ec00de5
- hash: 37c5723aeb725b1aec98da1f776fd841176c687d8ad5c2a14a6ebd831f1615d1
- hash: 87e168467d409be8c3aa8e67d3bc90a10b9769e2f63a0e1bad6b906bfd87ef61
- hash: b7dbab109e5bf3afffba5571366602154f3ea37053ec210dd3e030d0fcb2dbaa
- hash: bba4e6028ffa239375d7778b2b5b138b52af0d6a2cfdc99dbadab53373a570f5
- url: http://hallonews.servemp3.com:5500
- url: https://juneuk25.cfd/personalfoxypdf.msi
Foxit Impersonation: Fake PDF Installer Deploys VNC
Description
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers distribute trojanized installers impersonating Foxit PDF Reader, leveraging its trusted reputation to bypass user suspicion. These installers present decoy images while downloading malicious MSI packages that install UltraVNC remote access software disguised as GPU drivers. The malware achieves persistence through registry modifications and firewall rule changes, connecting to attacker-controlled infrastructure for full remote system control. This campaign uses social engineering and brand impersonation instead of exploiting technical vulnerabilities. Telemetry shows broad distribution in multiple countries. No CVE or known exploits in the wild are reported. Indicators include multiple file hashes and URLs associated with the malicious infrastructure.
Potential Impact
The impact includes unauthorized remote access and control of infected systems, persistence on the victim machines, and potential data compromise or further malicious activity. Since the attack does not exploit software vulnerabilities but relies on user deception, the risk depends heavily on user interaction with the fake installers. The campaign affects users in Germany, the United States, the United Kingdom, and Ukraine, indicating a broad geographic reach.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat as it does not exploit a software vulnerability but relies on social engineering and brand impersonation. Mitigation focuses on user awareness to avoid executing suspicious installers, verifying software sources, and blocking known malicious URLs and file hashes through endpoint protection and network defenses. Organizations should monitor for the listed indicators of compromise and restrict installation privileges to prevent unauthorized software execution.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc"]
- Adversary
- null
- Pulse Id
- 69e9e0346967ec306d0a2e2d
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash8e4aca0e510ea932b616f77d767ca5a9 | — | |
hashd6829f4abe09dba254d560f91f56f83b | — | |
hash72230761f27a0d8482c795b1101887cac7acb9d8 | — | |
hashe067eac14eafde7ccd99f83ec21fa09a6cfe601a | — | |
hash08b9cbdae903faf88b8027a12eee29265ff9b192b63aaa371d3d095b8ec00de5 | — | |
hash37c5723aeb725b1aec98da1f776fd841176c687d8ad5c2a14a6ebd831f1615d1 | — | |
hash87e168467d409be8c3aa8e67d3bc90a10b9769e2f63a0e1bad6b906bfd87ef61 | — | |
hashb7dbab109e5bf3afffba5571366602154f3ea37053ec210dd3e030d0fcb2dbaa | — | |
hashbba4e6028ffa239375d7778b2b5b138b52af0d6a2cfdc99dbadab53373a570f5 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://hallonews.servemp3.com:5500 | — | |
urlhttps://juneuk25.cfd/personalfoxypdf.msi | — |
Threat ID: 69ea2aee87115cfb681ee463
Added to database: 4/23/2026, 2:21:34 PM
Last enriched: 4/23/2026, 2:36:19 PM
Last updated: 4/24/2026, 6:09:03 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.