In recent weeks, security researchers have had a campaign that combines classic social engineering techniques with an increasingly sophisticated code: a new backdoor named as PDFSider is being used to open silent doors in Windows environments and to facilitate ransomware deployments against high-profile companies, including at least one target within the Fortune 100 list of the financial sector.
The point of entry is not a cero-day starring explosion, but a calculated mix of lures and abuse of trust. The attackers send directed e-mails containing a ZIP file. Within this ZIP comes a legitimate and digitally signed copy of the PDF24 Creator installer, a known application whose official website is pdf24.org. Next to that legitimate executable place a manipulated DLL bookstore called cryptbase.dll; when .EXE loads malicious DLL, the attacker code is executed within the legitimate process. This technique, known as DLL side-rolling, takes advantage of the confidence that the system and the security solutions give to signed binaries.
The technical details of the malware were published by the firm that discovered it during an incident response. Resecurity describes PDFSider as a backdoor designed to remain hidden and maintain persistent access, with features that remember more to the directed cyberespionage that to malware purely oriented to get a quick rescue.
In addition to the installer's decoy, in some variants the emails carry decoy documents that seem to be made to the victim's measure: PDFs with false authors who pretended to belong to government entities to give credibility and increase the likelihood that the recipient will execute the attachment. In other operations, the attackers resorted to social engineering by calling, posing as technical support personnel and trying to convince employees to install remote tools such as Microsoft's assistance utility - a maneuver that facilitates interactive system control with the victim's direct consent.
When the malicious DLL is loaded, inherit the permissions of the legitimate executable who called it, which can allow attackers to skip controls and fuel side movements on the internal network. PDFSider also avoids leaving track on disk by loading much of its code directly into memory and uses anonymous tubes to run commands by CMD, techniques that make it difficult to detect by EDR and other mechanisms based on file analysis.
Communication with the command and control infrastructure is also designed to camouflage: infected teams receive a unique identifier, collect system information and transmit it to the attacker's server using DNS requests by port 53, a channel that often goes unnoticed on many networks. To protect the confidentiality and integrity of these sessions, PDFSider uses the Botan cryptographic bookstore in its version 3.0.0 and AEAD encryption with AES-256-GCM, deciphering data in memory to minimize persistent artifacts in the host. The general documentation of Botan is available at botan.randombit.net.
The use of AES-GCM and a mature bookstore like Botan is significant: it is not the improvisation of a kiddie script, but an implementation aimed at keeping communications safe and resistant to analysis. Further, malware incorporates anti-analysis measures such as RAM size checks and debugging detection to abort its execution if it appears to be running inside a sandbox or in a research environment.
Resecurity points out that PDFSider has been observed in attacks linked to Qilin Ransomware, although its threat search team has seen the backdoor being reused by different actors with economic motives. This flexibility is dangerous: a component designed to remain hidden and provide remote control can be used by both espionage groups and by ransomware bands that want to maintain prior access to the deployment of encryption.
The weapon in this campaign is not an exotic vulnerability, but the use of legitimate and signed software that you would load in an expected way. That kind of abuse is known and documented within the framework of attacker techniques: the MITRE ATT & CK base collects and classifies load variants from DLL as techniques that allow code execution by reliable binaries; your specification can be found at MITRE ATT & CK - DLL Side-Loading.
What practical lessons does this incident leave? First, that the confidence in the digital signature of an executable is not by itself a security guarantee: valid signatures can be used as Trojan horse if the binary loads manipulative local bookstores. Secondly, effective campaigns combine social engineering with techniques to evade detection, so protection must be both technological and human. Thirdly, defenders must pay attention to seemingly benign channels such as DNS and processes that, although legitimate, show unusual behaviour when performing external components.
In the field of operation, it is appropriate to review software execution policies and DLL search routes on critical stations and servers, tighten privilege management and apply controls that restrict the installation of remote tools without authorization. It is also important to have detection of DNS traffic anomalies and memory telemetry and processes, as well as a response plan that includes the identification and containment of back doors acting in memory.
For organizations looking for references and action frameworks, the collective guides on ransomware and response to government incidents and cybersecurity agencies offer useful guidelines, for example, the US initiative to stop ransomware collects recommendations and cases of use in CISA - Stop Ransomware. And for those who want to deepen the technical report on PDFSider, the Resecurity note contains a detailed technical analysis that is worth reviewing: Resecurity Report on PDFSider.
In short, PDFSider is a reminder that attackers combine social engineering, abuse of confidence and good technical practices to create threats that are difficult to detect. Protecting itself requires a comprehensive strategy that not only deploys security tools, but also educates people, controls the software's execution surface and monitors communication channels that are traditionally considered harmless.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...