Foxit Impersonation: Fake PDF Installer Deploys VNC
Essential information
- Published
- 23/04/2026 11:02
- Modified
- 27/04/2026 14:37
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- brand abuse document decoy foxit impersonation remote access social engineering trojanized installer ultravnc
- Tags
- 2026-04-23 brand abuse document decoy foxit impersonation remote access social engineering trojanized installer ultravnc
- Related entities
- 7 indicators, 7 observables, 19 techniques (mitre), 1 malware, 4 others
Description
Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.