Foxit Reader Design Allows 2-Click Virus Infection

The Check Point Research Team discovered a new exploit named Explite, targeting users of Foxit Reader. This exploit takes advantage of inattentive users to execute harmful code.

Attackers are actively using this exploit, which exploits flaws in the Foxit Reader warning system. When a user opens a malicious PDF file, a security warning is displayed. If the user clicks “Trust once” twice without reading the warning, the exploit downloads and runs malicious code from a remote server.

The infection process follows this pattern:

  • Upon opening the file, the first pop-up window appears with the default option “Trust once”;
  • After clicking OK, a second window warning about the infection risk appears;
  • The victim allows the file to open without reading the warning message.

Attackers leverage this behavior to manipulate users into selecting the most harmful default option.

Researchers warn that successful infections and low detection rates allow malicious PDF files to be spread through non-standard means, such as Facebook*, to evade detection. The exploit is used in various cyber activities, from espionage campaigns to cyber intrusions involving complex attack chains.

In one instance, the APT-C-35 group (Donot Team) conducted hybrid campaigns targeting both Windows and Android devices, enabling them to bypass two-factor authentication (2FA). Various cybercriminals have also used the exploit to distribute well-known strains of malware like Venomrat, Agent Tesla, and Remcos.

In a particular campaign, Check Point specialists traced links spread via Facebook that led to a lengthy attack chain involving the installation of an infostealer and two cryptocurrency miners. In another case, an attacker identified as @silentkillertv utilized two related PDF files, one of which was hosted on the legitimate website Trello.com.

Researchers obtained several tools used by hackers to create malicious PDF files. Most of these files employed PowerShell commands to download malicious code from remote servers, though some used alternative commands.

The exploit is classified as a form of phishing or social engineering by researchers, targeting Foxit Reader users by manipulating their behavior and exploiting their tendency to click “OK” without understanding the risks.

Foxit Reader acknowledged the issue and informed Check Point that it will be addressed in version 2024 3. In the meantime, users are advised to exercise caution when opening PDF files from

/Reports, release notes, official announcements.