PureRAT Campaign Targets Job Seekers via Foxit PDF Reader DLL Side-Loading
A PureRAT campaign is targeting job seekers with email lures that weaponize Foxit PDF Reader for DLL side-loading, enabling credential theft and system compromise.
A new PureRAT campaign is actively targeting job seekers through email-based lures, using a weaponized Foxit PDF Reader installer to perform DLL side-loading and gain initial access to victims' systems. Trend Micro researchers detailed the infection chain in a report published December 3, 2025, noting that the campaign exploits the trust job seekers place in emails that appear to come from potential employers. The attackers send archive files with names like `Overview_of_Work_Expectations.zip` or `Candidate_Skills_Assessment_Test.rar`, which contain a renamed FoxitPDFReader.exe disguised as a recruitment document.
When the victim executes the file—often named something like `Compensation_Benefits_Commission.exe` and bearing the Foxit logo as its icon—the legitimate Foxit PDF Reader installer loads a malicious `msimg32.dll` from the same directory. This DLL side-loading technique exploits Windows' DLL search order to silently execute the PureRAT remote access trojan in the background while the user sees a decoy PDF displaying job details and salary information. The decoy document is likely copied from legitimate job boards to further the deception.
PureRAT is a remote access trojan that gives attackers full control over the compromised system, enabling them to monitor activity, steal credentials, and exfiltrate sensitive data. The infection chain involves multiple stages: after the initial DLL side-loading, a batch file (`document.bat`) extracts and executes additional payloads using .NET reflection loading, all while hiding deeply nested directory structures to evade detection. The campaign also targets human resources professionals, such as recruiters and sourcing specialists, who may receive similar lures.
Trend Micro researchers observed that the emotional strain of job searching can reduce caution, making victims more likely to download attachments quickly and overlook warning signs. The attackers deliberately craft archive filenames to mimic legitimate HR documents, exploiting the sense of urgency among job seekers. The campaign is ongoing, and Trend Micro has provided indicators of compromise (IoCs) for detection.
Trend Vision One detects and blocks the IoCs associated with this campaign. Trend Micro customers can access tailored hunting queries, threat insights, and intelligence reports to defend against this threat. Users are advised to verify email attachments, avoid opening unexpected executables, and keep software updated. The campaign highlights the continued evolution of social engineering tactics, blending trusted software like Foxit PDF Reader with classic DLL side-loading to bypass security defenses.