A newly identified malware strain built for covert, long-term access to compromised systems has been documented in recent security research.
Dubbed PDFSIDER by Resecurity, the threat is delivered through Dynamic-Link Library (DLL) side-loading and is engineered to install an encrypted backdoor while evading endpoint detection mechanisms.
The Resecurity researchers described the malware as exhibiting hallmarks of advanced persistent threat (APT) operations. Its design combines stealthy execution, secure communications and anti-analysis checks, placing it closer to cyber-espionage tooling than commodity malware.
Infection Chain And Stealthy Execution
The campaign begins with spear-phishing emails that contain a ZIP archive. Inside is a legitimate, digitally signed executable labelled "PDF24 App" that impersonates well-known PDF creation software. When executed, the file shows no visible interface but immediately starts running in the background.
Attackers exploit weaknesses in the legitimate application to trigger DLL side-loading. A malicious cryptbase.dll is placed alongside the executable, causing the program to load it instead of the genuine system library. This technique allows PDFSIDER to bypass many antivirus and EDR controls.
Once active, the malware initializes networking components, gathers host details and enters its backdoor routine. Most of its activity occurs in memory, significantly reducing disk artifacts and complicating forensic analysis.
At the core of PDFSIDER is an encrypted command-and-control (C2) channel. The malware embeds the Botan cryptographic library and uses AES-256-GCM authenticated encryption, ensuring that command traffic and responses remain confidential and tamper-resistant.
Commands are executed via cmd.exe with no visible console window. Output is captured through anonymous pipes and transmitted back to the attacker over the encrypted channel. All encryption and decryption takes place in memory.
Key observed capabilities include:
-
Interactive remote command execution (RCE)
-
Encrypted inbound and outbound communications
-
System fingerprinting to create a unique victim identifier
Read more on encrypted C2 techniques: New Atroposia RAT Surfaces on Dark Web
Anti-VM Checks and Campaign Context
PDFSIDER includes multiple safeguards to detect analysis environments. It checks system memory levels to identify virtual machines (VMs) or sandboxes and exits early if thresholds are not met. Additional debugger detection further reduces the likelihood of execution in monitored settings.
Resecurity also identified data exfiltration via DNS traffic on port 53 to a leased VPS infrastructure.
In some cases, decoy documents were used to lure victims, including a fake file styled as an internal document from the People's Republic of China's primary intelligence organizations.
Resecurity assessed PDFSIDER as a targeted tradecraft rather than a mass-delivered threat. Most identified artifacts evade popular AV and EDR products, reinforcing their role as a stealthy backdoor designed for persistent, covert access.