Hackers are leveraging a vulnerability in Foxit PDF Reader to distribute various malware, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm, by deceiving users into executing harmful commands; this flaw, allowing multiple actors to use it for e-crime or espionage purposes, involves displaying 'OK' as the default option to trust a document, leading to the execution of malicious payloads hosted on Discord's CDN; attacks linked to groups like DoNot Team have been observed using this exploit along with tactics like weaponizing PDFs to drop malware like stealer and cryptocurrency miners through platforms like Facebook, Gitlab, and Trello; researchers have identified PDF builder services like Avict Softwares and the continued abuse of legitimate websites by threat actors to avoid detection; a fix for the issue is anticipated in the upcoming Foxit PDF Reader version.
https://thehackernews.com/2024/05/foxit-pdf-reader-flaw-exploited-by.html