A ransomware group attempted to compromise the network of a Fortune 100 company in the financial sector using a new malware variant known as PDFSider, designed to deliver malicious payloads on Windows systems.
To gain initial access, they used social engineering techniques, posing as tech support personnel and tricking employees into installing Microsoft Quick Assist, a legitimate remote access tool.
The malware was identified during a security incident response and is described as a highly stealthy backdoor, intended to maintain long-term persistent access. Its behavior and communication methods exhibit typical characteristics of advanced threats, similar to those used in targeted APT-style attacks.
At TecnetOne, we closely monitor these types of threats because they reflect a clear trend: increasingly targeted, hard-to-detect attacks using techniques associated with advanced threats, making continuous monitoring and a proactive security strategy essential.
According to information shared by security researchers, PDFSider has already been used in ransomware attacks such as Qilin, although it's not an isolated case. In fact, various ransomware groups are reportedly leveraging this backdoor to deploy their own malicious payloads, confirming that it is an active and expanding tool within the criminal ecosystem.
PDFSider’s distribution relies on phishing emails containing a ZIP file. Inside the archive is a legitimate, digitally signed executable belonging to the PDF24 Creator tool, which helps establish trust and avoid detection. The problem is that the same package also includes a malicious DLL (cryptbase.dll), designed to replace the original and enable infection.
When the program is executed, Windows automatically loads the attacker’s DLL instead of the legitimate one—a technique known as DLL side-loading. In this way, the malware is able to run code on the system without raising suspicion, using trusted software as a façade.
The valid signature of the executable (Source: Resecurity)
In some scenarios, attackers take it a step further by customizing malicious emails to make them more convincing. They use fake documents that appear tailor-made for the victim, and in one of the analyzed cases, they even impersonated a Chinese government agency as the supposed author of the file, increasing the likelihood that the recipient would open it without suspicion.
Once the file is executed, the malicious DLL is loaded with the same permissions as the legitimate executable, giving it free rein to operate within the system. Although the EXE file has a valid digital signature, the PDF24 software contains vulnerabilities that attackers have exploited to load the malware and effectively evade advanced detection solutions (EDR).
This type of vulnerable software abuse is becoming increasingly common. Finding exploitable applications is easier for cybercriminals, partly due to the rise of AI-assisted development tools, which accelerate the creation and adaptation of these kinds of attacks.
Once active, PDFSider runs directly in memory, leaving very few traces on the disk. From there, it uses anonymous channels to execute commands via the Windows console (CMD), making detection even more difficult.
Each infected machine receives a unique identifier, while key system information is gathered and sent to the attacker’s server through DNS queries (port 53), a technique that often goes unnoticed in many corporate environments.
To protect its communications, PDFSider employs advanced encryption using the Botan cryptographic library and the AES-256-GCM algorithm, decrypting data directly in memory to minimize its footprint on the compromised machine.
Additionally, the communications are protected through authenticated encryption, ensuring both the confidentiality and integrity of the exchanged data.
This level of cryptographic implementation is typical of malware used in targeted attacks, where maintaining secure, hard-to-intercept communications is crucial for allowing attackers to operate undetected for extended periods.
Overview of how PDFSider works
Read more: What is a DMZ Network and how can it help protect your business?
PDFSider clearly illustrates the direction in which modern attacks are evolving: increasingly stealthy, persistent, and hard-to-detect malware that doesn’t aim for immediate impact, but rather seeks to remain hidden within corporate networks for as long as possible. In this scenario, prevention alone is no longer enough; adopting a continuous detection and response approach is essential.
To reduce the risk from advanced threats like PDFSider, TecnetOne recommends:
Establishing a Security Operations Center (SOC) that continuously monitors systems, identifies anomalous behavior, and acts swiftly at any sign of compromise.
Implementing EDR/XDR solutions integrated with the SOC, capable of detecting suspicious activity even when the malware leaves no trace on disk.
Strengthening email security with advanced filtering, attachment analysis, and ongoing training to prevent targeted phishing attacks.
Maintaining active vulnerability management, prioritizing updates to widely used software that can be exploited as an attack vector.
Monitoring network and DNS traffic, as this type of malware often uses legitimate channels to communicate without raising alarms.
Applying the principle of least privilege to reduce the impact of a potential infection and limit lateral movement within the network.
In this landscape, a 24/7 operational SOC becomes a key component of a cybersecurity strategy, enabling early-stage attack detection, coordinated response, and minimal business disruption.