Fake PDF Installer Deploys VNC Malware Stealthily

EXECUTIVE SUMMARY

Attackers impersonating trusted vendors are causing significant trouble by damaging the reputation of the original vendor and compromising user trust. One such campaign involves the impersonation of Foxit, a widely trusted PDF reader with over 650 million users. The attackers' goal is to deploy a remote-access tool, gain long-term access to systems, and exfiltrate sensitive information. This approach relies on user trust rather than exploiting vulnerabilities in the software.[emaillocker id="1283"]

The malware infects systems through a fake installer that looks legitimate, tricking users into installing it. Once installed, the malware downloads an MSI package that resembles a Foxit PDF component. However, its behavior does not match a normal MSI installer, instead deploying components into an unexpected directory. The malware disguises a popular remote-access tool, UltraVNC, as GPU and driver-related files, making it difficult for users to detect.

The malware establishes persistence by creating an autorun entry and uses a decoy image of a passport to distract users while the executable runs in the background. Organisations in various sectors and regions are vulnerable to this threat, particularly those that frequently interact with common productivity tools like PDF readers. The effectiveness of this approach lies in its ability to align with user behavior and expectations, rather than exploiting software vulnerabilities. To defend against this threat, organisations should ensure that their systems are up-to-date with the latest patches, monitor their networks for suspicious activity, and maintain regular backups. They should also implement robust endpoint protection and be cautious when installing software from unfamiliar sources.

THREAT PROFILE:

REFERENCES:

The reports contain further technical details:
https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc