(gdatasoftware.com) Foxit PDF Brand Impersonation Campaign Delivers Concealed UltraVNC Remote Access Tool
-
(gdatasoftware.com) Foxit PDF Brand Impersonation Campaign Delivers Concealed UltraVNC Remote Access Tool
Threat actors are impersonating Foxit PDF to distribute trojanized installers delivering UltraVNC RAT via search engine poisoning. Campaign targets users in DE, US, UK, and UA with decoy passport lures and concealed persistence.
In brief - Attackers abuse Foxit’s brand trust to trick users into executing fake PDF installers (e.g., Datei.exe) that silently deploy UltraVNC RAT. The malware establishes persistent remote access via C2 infrastructure at hallonews.servemp3.com:5500, enabling full system control.
Technically - The attack chain begins with a trojanized binary (SHA256: 08b9cbdae903faf88b8027a12eee29265ff9b192b63aaa371d3d095b8ec00de5) fetching a malicious MSI (personalfoxypdf.msi) from hxxps://juneuk25.cfd. The MSI drops UltraVNC components into C:\intel-GPU\, using GPU/driver-themed filenames for evasion. Persistence is achieved via HKCU\Run, with gpu.cmd generating a system ID (IDD.txt) and SilentRun.vbs executing gpu.cmd silently. UltraVNC.ini preconfigures server settings, including passwords and ports, while firewall exceptions are added via gpu.txt. MITRE ATT&CK techniques include T1036 (Masquerading), T1204 (User Execution), T1027 (Obfuscation), and T1053/T1060 (Scheduled Task/Registry Run Keys).
Source: https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc
-
R relay@relay.infosec.exchange shared this topic
