Foxit PDF Reader abuse linked to surge in ValleyRAT intrusions

A wave of cyber-attacks targeting job seekers has been traced to a campaign deploying the remote access trojan ValleyRAT by disguising it as a legitimate installer of Foxit PDF Reader. Security firms report that threat actors are using recruitment-themed emails to trick users into running a tampered version of the PDF reader, which in turn side-loads a malicious dynamic-link library and installs the malware silently.

Analysts monitoring the campaign note that the attackers bundle a renamed Foxit executable inside archive files labelled with job-application language — names such as “OverviewofWorkExpectations. zip” or “CandidateSkillsAssessmentTest. rar” — to draw in job-hungry individuals. Once extracted and launched, the executable loads a rogue msimg32. dll via Windows’ standard DLL search order, triggering the first stage of compromise.

The malicious installer then unpacks a hidden Python environment renamed as zvchost. exe, which executes a base64-encoded loader script downloaded from a command-and-control server. That script installs ValleyRAT, establishes persistence via autorun registry entries, and begins exfiltrating sensitive data, including browser credentials, browsing history and other private information.

Security firm telemetry shows a marked spike in detections of ValleyRAT infections in late October, indicating an escalation of this campaign’s activity. The broadened targeting beyond traditional victims — now including general job seekers and HR-related personnel — points to a strategic shift by cybercriminals to exploit human vulnerability in periods of career uncertainty.

This campaign builds on a known history of exploitation of Foxit Reader. Earlier investigations found that attackers had leveraged flaws in the software’s design — such as misleading pop-ups that default to risky actions — to execute malware including credential stealers and remote-access trojans. However, the ValleyRAT attacks are distinguished by their sophisticated multi-stage attack chain combining social engineering, obfuscation and stealthy side-loading techniques, increasing their odds of bypassing conventional antivirus and sandbox solutions.

Users and organisations are being urged to update Foxit PDF Reader to the latest patched version — builds beyond 2025.2.1 address critical security flaws identified earlier. In addition, experts recommend disabling JavaScript in PDFs, avoiding execution of files from unknown sources, deploying application whitelisting and monitoring for anomalous process execution and registry changes indicative of persistent malware.

Awareness training for job applicants and HR personnel is also being emphasised, particularly around the risk posed by unsolicited job-offer attachments disguised as legitimate documents. The confluence of technical sophistication and psychological manipulation in these attacks underscores the evolving challenge for cybersecurity defences.