Attackers are leveraging the trusted reputation of Foxit PDF Reader, used by over 650 million people, to distribute malicious installers disguised as legitimate software. Rather than exploiting vulnerabilities, threat actors impersonate the vendor through fake installers with document-themed filenames that bypass user suspicion. When executed, these files display decoy passport images while downloading malicious MSI packages that deploy UltraVNC remote access tools disguised as GPU drivers. The attack establishes persistence through registry modifications and firewall exceptions, connecting to attacker-controlled infrastructure for complete remote system control. Telemetry indicates broad distribution across Germany, the United States, the United Kingdom, and Ukraine. This campaign demonstrates how brand impersonation combined with social engineering proves more effective than technical exploits, relying on user trust and behavioral patterns rather than software vulnerabilities.