A new malware campaign dubbed PDFSIDER has been exploiting the legitimate PDF24 App to breach corporate networks and steal data while providing remote access to attackers, a recent report from cybersecurity firm Resecurity says.
“PDFSIDER is a robust and stealthy backdoor designed for long-term covert access, flexible remote command execution, and encrypted communications - aligning more with espionage tradecraft than financially motivated malware,” the researchers noted.
The PDFSIDER campaign involves targeted spear-phishing emails designed to trick victims into downloading ZIP archives containing what appears to be the real PDF24 Creator, a popular document management tool by Miron Geek Software GmbH.
However, the attackers plant a malicious file named ‘cryptbase.dll’ alongside the legitimate PDF24.exe, exploiting a process called DLL side-loading. When the app runs, it loads the attacker’s code instead of the legitimate system library. The malware is executing in memory, which helps it evade traditional antivirus and endpoint detection systems.
PDFSIDER uses several advanced techniques to remain hidden. It launches without a visible window using the CREATE_NO_WINDOW flag, avoiding detection by the user, and conducts anti-sandbox checks using the system’s RAM to avoid analysis environments. The malware establishes a secure encrypted channel using the Botan 3.0.0 cryptographic library with AES-256-GCM to communicate with its command-and-control (C&C) infrastructure, exfiltrating system data via DNS port 53.
Resecurity classifies PDFSIDER as an Advanced Persistent Threat (APT) based on the use of techniques commonly associated with state-backed threat actors, including stealthy execution, anti-VM checks, and encrypted communications.
The company said it discovered the malware while investigating an incident at a Fortune 100 corporation, in which the threat actor impersonated technical support, and used social engineering tactics with QuickAssist in an attempt to gain remote access to the organization’s endpoint.
Furthermore, Resecurity noted that its HUNTER team observed PDFSIDER being actively used by several ransomware groups to deliver payloads.