A newly identified Windows malware strain called PDFSider has emerged as a dangerous tool in the arsenals of multiple ransomware operators, with at least one confirmed attack targeting a Fortune 100 finance company. Security researchers at Resecurity uncovered the malware during an incident response engagement, describing it as an advanced stealth backdoor designed for long-term persistence and covert operations.
Initial Access Through Social Engineering
The attack chain begins not with technical exploitation, but with human manipulation. Threat actors posed as IT support staff and convinced employees to launch Microsoft Quick Assist, enabling remote access to corporate systems. This social engineering approach demonstrates the continued effectiveness of targeting the human element in the security chain.
DLL Side-Loading: Hiding in Plain Sight
PDFSider employs a sophisticated delivery mechanism known as DLL side-loading. The infection chain involves spearphishing emails containing ZIP archives with two components:
- A legitimate, digitally signed executable for PDF24 Creator (developed by Miron Geek Software GmbH)
- A malicious DLL named cryptbase.dll
Because the legitimate PDF24 application expects this DLL, it loads the attacker’s malicious version instead of the legitimate library. This technique allows malicious code to execute under the cover of a trusted, signed program, effectively bypassing security controls that focus on executable signatures rather than loaded libraries.
Espionage-Grade Tradecraft
What sets PDFSider apart from typical ransomware tooling is its sophisticated operational security features:
- Memory-Only Execution: The malware runs primarily in RAM to reduce disk traces, using anonymous pipes to issue commands through CMD
- Encrypted C2 Communications: PDFSider uses Botan 3.0.0 with AES-256-GCM encryption, decrypting inbound data only in memory
- DNS Exfiltration: System information is exfiltrated to attacker-controlled VPS through DNS traffic on port 53
- Anti-Analysis Features: RAM size validation and debugger detection allow the malware to terminate early when sandboxing is suspected
- AEAD Authentication: Uses GCM mode cryptographic authentication, a technique commonly seen in stealthy remote shell backdoors
Spreading Across Criminal Ecosystems
While Resecurity initially linked PDFSider to Qilin ransomware operations, threat hunting indicates the backdoor is now actively used by multiple ransomware operators. This suggests PDFSider is spreading across criminal ecosystems as a delivery mechanism for follow-on payloads, rather than remaining a niche tool controlled by a single threat actor.
AI-Assisted Vulnerability Discovery
Resecurity warns that AI-assisted coding is making it easier for cybercriminals to identify and exploit vulnerable software at scale. The exploitation of weaknesses in legitimate software like PDF24 for DLL side-loading represents a growing trend where attackers leverage the trust placed in signed applications to bypass endpoint detection and response (EDR) tools.
Indicators of Compromise
Organizations should monitor for:
- Unusual DNS traffic patterns on port 53
- PDF24 Creator executables in unexpected locations
- Modified or suspicious cryptbase.dll files
- Microsoft Quick Assist sessions initiated without legitimate IT support tickets
Recommendations
- Implement strict controls around remote access tools like Quick Assist
- Monitor for DLL side-loading attempts, even with signed executables
- Enhance DNS monitoring and anomaly detection
- Train employees to verify IT support requests through official channels
Based on Resecurity’s assessment, PDFSider represents espionage-grade tradecraft rather than typical financially motivated ransomware tooling—built to quietly preserve covert access, execute remote commands flexibly, and keep communications protected.
Source: CySecurity News
