On the DNS Trail of the Foxit PDF Bug Exploitation Attackers

Keypoints

• The Foxit PDF Reader vulnerability can deceive users into executing harmful commands when security warnings are triggered.
• WhoisXML API expanded the public IoCs list by analyzing eight domains and one IP, uncovering 55 registrant-connected domains (two malicious), one email-connected domain, eight additional IPs (six malicious), and 44 string-connected domains.
• Phishing-related activity was identified, with two registrant-connected domains (contracsupport.click and facebook-helper.click) explicitly associated with phishing.
• Brand impersonation appeared in registrant-connected domains (e.g., facebook-helper.click for Facebook; grammasly.com/grammasly.xyz for Grammarly; metabusiness.mom for Meta).
• DNS lookups linked IoCs to eight IP addresses; example threats included generic malware and phishing (e.g., 104.21.36.187; 172.67.134.54).
• Threat actors used old and new domains (2018–2024) and spread artifacts across multiple countries and ISPs, with Cloudflare serving as a major ISP for several IPs.
• In total, 108 potentially connected digital properties were identified (55 registrant-connected domains, 1 email-connected domain, 8 additional IPs, 44 string-connected domains), with eight artifacts tied to C2, malware distribution, and phishing.