Do Son 
Foxit Impersonation Attack Chain Overview | Image: G DATA
A recent report from G DATA highlights a sophisticated campaign targeting users of Foxit Software, a popular and lightweight PDF reader with over 650 million users.
The report warns that Foxit’s solid reputation is exactly what makes it a prime target. As the researcher notes, “The more familiar the software, the easier it is to convince someone that what they are downloading is safe. Instead of exploiting a vulnerability in Foxit, the attacker does something simpler: They pretend to be Foxit”.
The attack begins with a classic social engineering trick. Attackers distribute files with names like Datei.exe, 1.exe, or Document09.10.2025.exe. These names are designed to look like standard documents rather than software installers.
When a victim executes one of these files, they are met with a clever decoy. A digital image of a Danish passport briefly appears on the screen. While the user thinks they have simply opened a legitimate document, the malicious executable is already busy in the background.
The “installer” doesn’t actually install a PDF reader. Instead, it downloads an MSI package that silently deploys a remote-access tool called UltraVNC. To evade detection, the attacker hides these components in a folder named C:\intel-GPU\, disguising them as harmless graphics drivers.
The attack chain utilizes several specialized files to gain total control:
- gpu.txt: A batch script that creates firewall exceptions, allowing the malware to communicate with the attacker’s server.
- SilentRun.vbs: A script used to launch the malware invisibly.
- gpu.cmd: This script establishes “persistence,” ensuring the malware restarts every time the computer boots up.
- gpu.exe: The core VNC client that transforms the victim’s computer into a remotely controllable host.
Once the hidden UltraVNC server is active, the attacker gains full remote-access capabilities. They can monitor the user’s desktop in real-time, control the mouse and keyboard, and exfiltrate sensitive files—all without the user’s knowledge.
Telemetry data shows that this isn’t an isolated threat. Detections have popped up in Germany, the United States, the United Kingdom, and Ukraine, suggesting a broadly distributed global campaign.
The G DATA report concludes with a sobering reminder for both junior system administrators and seasoned CISOs: “The effectiveness of this approach lies not in technical sophistication, but in familiarity. Users trust what they recognize”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
