Cybersecurity researchers have uncovered a previously undocumented Windows malware strain, dubbed PDFSider, that was deployed during a targeted intrusion against a Fortune 100 company in the financial services sector, highlighting a growing shift towards stealth-focused malware capable of maintaining long-term covert access inside corporate networks.
The malware was identified during an incident response investigation by cybersecurity firm Resecurity, which described PDFSider as a highly evasive backdoor exhibiting characteristics commonly associated with advanced persistent threat (APT) tradecraft, rather than conventional financially motivated ransomware tooling.
According to the findings, attackers relied heavily on social engineering tactics, impersonating technical support personnel to persuade employees to install Microsoft’s Quick Assist remote access tool. Once initial access was established, the attackers deployed PDFSider to maintain persistence and enable encrypted remote command execution.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Abuse of legitimate software
PDFSider is primarily delivered via spear-phishing emails containing ZIP archives. These archives include a legitimate, digitally signed executable belonging to PDF24 Creator, a widely used PDF utility developed by Germany-based Miron Geek Software GmbH. Alongside the genuine executable, attackers bundle a malicious dynamic-link library (DLL) named cryptbase.dll.
When the signed executable is launched, it inadvertently loads the malicious DLL — a technique known as DLL side-loading — allowing attackers to execute arbitrary code while bypassing many endpoint detection and response (EDR) solutions that trust signed binaries.
Resecurity researchers noted that while the executable’s digital signature remains valid, vulnerabilities within the PDF24 application allow attackers to exploit the loading process to introduce malicious components without raising immediate alarms.
In some observed campaigns, attackers further enhanced credibility by attaching decoy documents tailored to specific targets. One such lure impersonated content authored by a Chinese government entity, suggesting reconnaissance-driven targeting rather than indiscriminate distribution.
Memory-resident and encrypted operations
Once executed, PDFSider operates largely in memory, leaving minimal forensic traces on disk. The malware assigns a unique identifier to each infected host, collects system information, and exfiltrates data to attacker-controlled infrastructure using DNS traffic over port 53, a channel commonly allowed through corporate firewalls.
To secure command-and-control communications, PDFSider leverages the Botan 3.0.0 cryptographic library, implementing AES-256-GCM encryption with authenticated encryption (AEAD). Incoming commands are decrypted directly in memory, significantly reducing opportunities for detection.
Security analysts noted that this level of cryptographic hygiene is typically seen in targeted remote shell malware, where preserving the confidentiality and integrity of communications is essential.
Anti-analysis and evasion techniques
The malware also incorporates several anti-analysis mechanisms, including checks for system RAM size and active debuggers, enabling it to terminate execution if it detects signs of sandboxing or automated malware analysis environments.
Resecurity confirmed that PDFSider has been observed in incidents linked to Qilin ransomware operations, but warned that the backdoor is already being actively adopted by multiple ransomware actors as a payload delivery mechanism.
Shift toward espionage-grade tooling
Based on its design and operational behavior, researchers assess that PDFSider is closer to espionage-grade malware than traditional ransomware loaders. Its emphasis on stealth, encrypted communications, and long-term persistence suggests it is built to quietly maintain access within high-value enterprise environments.
Cybersecurity experts warn that the increasing availability of AI-assisted coding tools is making it easier for threat actors to identify and weaponise vulnerabilities in legitimate software, accelerating the development of sophisticated malware that blends seamlessly into trusted enterprise ecosystems.
The incident underscores the need for organisations to go beyond signature-based security controls, strengthening user awareness training, restricting the use of remote access tools, and closely monitoring abnormal DLL loading behaviour within trusted applications.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
