Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are distributing malicious executables that appear to be legitimate Foxit PDF installers. The bogus installer retrieves a harmful MSI package that places UltraVNC components inside a fake GPU-themed directory and maintains persistence through a Run registry key. Once installed, the malware sets up a concealed VNC server that initiates outbound connections to a malicious domain, giving attackers stealthy remote access to the compromised system.
Investigation
The investigation uncovered fake files such as datei.exe and personalfoxypdf.msi, which downloaded and installed UltraVNC into C:\intel-GPU. A batch script then enumerated network profile GUIDs, created firewall exceptions, wrote a unique identifier to IDD.txt, and added a Run registry entry to launch gpu.exe with parameters that connected to hallonews.servemp3.com:5500. Researchers also observed the malware forcibly terminating rundll32.exe and displaying a decoy passport image to distract the victim.
Mitigation
Organizations should enforce application allow-listing, validate installer code signatures before execution, block untrusted MSI files, and monitor for Run registry entries that point to unknown executables. Outbound traffic to suspicious domains should also be restricted. User awareness remains essential, especially around the risks of launching unexpected installers disguised as trusted software.
Response
If this activity is detected, isolate the affected endpoint immediately, terminate the UltraVNC process, remove the C:\intel-GPU directory, and delete the malicious Run registry entry. Reset any potentially exposed credentials, conduct a full forensic investigation, and update detection rules to cover the identified indicators of compromise.
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via cmdline)
View
Possible Remote MSI File Installation Attempt (via cmdline)
View
IOCs (HashSha256) to detect: Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control
View
Remote VNC Control via Foxit Impersonation [Windows Network Connection]
View
Remote Connection Establishment via EbiClient Command Execution [Windows Process Creation]
View
Stealth VNC Control via Foxit Impersonation [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Attack Narrative & Commands
- Create the hidden “intel‑GPU” directory to mimic a legitimate GPU vendor path.
- Drop malicious payloads (
gpu.exe,UltraVNC.ini, etc.) into that directory. The executable is a copy of the UltraVNC server binary renamed for camouflage. - Deploy a batch script (
gpu.cmd) that:- Adds a firewall rule allowing inbound VNC (port 5900).
- Registers the VNC service for persistence via
sc create. - Writes minimal configuration to
UltraVNC.ini.
- Execute the batch script using
cmd.exe(Signed Binary Proxy Execution).
These steps generate the exact file‑creation events listed in the detection rule, plus ancillary process‑creation and firewall‑rule events that can be used for enrichment.
Regression Test Script
# -------------------------------------------------
# Stealth VNC Control Simulation – PowerShell
# -------------------------------------------------
# 1. Prepare hidden directory
$targetDir = "$env:ProgramDataintel-GPU"
if (-Not (Test-Path $targetDir)) {
New-Item -Path $targetDir -ItemType Directory -Force | Out-Null
# Hide the folder (optional)
attrib +h $targetDir
}
# 2. Drop fake GPU files (these are benign placeholders for the demo)
$files = @("gpu.txt","gpu.exe","gpu.cmd","UltraVNC.ini","IDD.txt")
foreach ($f in $files) {
$path = Join-Path $targetDir $f
Set-Content -Path $path -Value "Placeholder for $f" -Encoding ASCII -Force
}
# 3. Write a minimal UltraVNC.ini (real config would be more extensive)
@"
[VNC]
Password=redteam
"@ | Set-Content -Path (Join-Path $targetDir "UltraVNC.ini") -Encoding ASCII -Force
# 4. Create a batch script that adds a firewall rule and registers the service
$batchPath = Join-Path $targetDir "gpu.cmd"
@"
@echo off
rem Add firewall rule for VNC (port 5900)
netsh advfirewall firewall add rule name=`"UltraVNC`" dir=in action=allow protocol=TCP localport=5900
rem Register UltraVNC service (using the renamed exe)
sc create UltraVNC binPath= `""$targetDirgpu.exe`"" start= auto
"@ | Set-Content -Path $batchPath -Encoding ASCII -Force
# 5. Execute the batch script via cmd.exe (signed binary proxy)
Start-Process -FilePath "cmd.exe" -ArgumentList "/c `"$batchPath`"" -WindowStyle Hidden -Wait
Write-Host "Stealth VNC simulation completed."Cleanup Commands
# -------------------------------------------------
# Cleanup Stealth VNC Artifacts
# -------------------------------------------------
$targetDir = "$env:ProgramDataintel-GPU"
# Remove firewall rule
netsh advfirewall firewall delete rule name="UltraVNC" > $null 2>&1
# Delete the service
sc stop UltraVNC > $null 2>&1
sc delete UltraVNC > $null 2>&1
# Remove the directory and all files
if (Test-Path $targetDir) {
Remove-Item -Path $targetDir -Recurse -Force
}
Write-Host "Cleanup complete."