PDFSider's path to corporate data turned out to be surprisingly simple.
A new malware called PDFSider was discovered on the networks of a Fortune 100 company operating in the financial sector. The discovery occurred during an incident response linked to a ransomware attack. The Resecurity team discovered that the malware is designed to establish persistent access to infected systems and displays characteristics typical of targeted attack methods.
The attackers used social engineering, posing as technical support staff. They convinced the company's employees to install the Microsoft Quick Assist utility, which allowed the attackers to gain remote access to the devices.
PDFSider is distributed via phishing emails containing a ZIP archive containing a legitimate executable file, PDF24 Creator, from the German company Miron Geek Software GmbH. Along with this file, a malicious module—a modified cryptbase.dll library—is added to the archive. After running the main file, the system loads the attackers' DLL, a technique known as DLL sideloading . This allows malicious code to run undetected, disguised as a trusted process.
Although the main executable file is digitally signed, the PDF24 software contains vulnerabilities that allow it to bypass threat detection protection. According to experts, AI-powered tools make it easier for attackers to detect such vulnerable applications.
PDFSider loads directly into RAM, minimizing its footprint on disk. The malware uses anonymous channels to execute commands via CMD and assigns a unique identifier to each infected device. System data is transmitted to a remote server via DNS on port 53.
To protect the control channel, PDFSider uses the Botan 3.0.0 cryptographic library and AES-256-GCM encryption. Data is decrypted directly in memory, and the AEAD algorithm in GCM mode is used to verify message authenticity. Such methods are more common in spyware with remote control capabilities, where maintaining communication confidentiality is critical.
Additionally, PDFSider includes anti-analysis mechanisms: RAM checks and debuggers. If signs of running in an isolated environment are detected, malicious code execution is interrupted.
Experts believe PDFSider's functionality is more consistent with digital intelligence tools than typical ransomware. The virus operates stealthily and persistently, allowing remote system control and the transfer of encrypted data while remaining undetected by security solutions.
A new malware called PDFSider was discovered on the networks of a Fortune 100 company operating in the financial sector. The discovery occurred during an incident response linked to a ransomware attack. The Resecurity team discovered that the malware is designed to establish persistent access to infected systems and displays characteristics typical of targeted attack methods.
The attackers used social engineering, posing as technical support staff. They convinced the company's employees to install the Microsoft Quick Assist utility, which allowed the attackers to gain remote access to the devices.
PDFSider is distributed via phishing emails containing a ZIP archive containing a legitimate executable file, PDF24 Creator, from the German company Miron Geek Software GmbH. Along with this file, a malicious module—a modified cryptbase.dll library—is added to the archive. After running the main file, the system loads the attackers' DLL, a technique known as DLL sideloading . This allows malicious code to run undetected, disguised as a trusted process.
Although the main executable file is digitally signed, the PDF24 software contains vulnerabilities that allow it to bypass threat detection protection. According to experts, AI-powered tools make it easier for attackers to detect such vulnerable applications.
PDFSider loads directly into RAM, minimizing its footprint on disk. The malware uses anonymous channels to execute commands via CMD and assigns a unique identifier to each infected device. System data is transmitted to a remote server via DNS on port 53.
To protect the control channel, PDFSider uses the Botan 3.0.0 cryptographic library and AES-256-GCM encryption. Data is decrypted directly in memory, and the AEAD algorithm in GCM mode is used to verify message authenticity. Such methods are more common in spyware with remote control capabilities, where maintaining communication confidentiality is critical.
Additionally, PDFSider includes anti-analysis mechanisms: RAM checks and debuggers. If signs of running in an isolated environment are detected, malicious code execution is interrupted.
Experts believe PDFSider's functionality is more consistent with digital intelligence tools than typical ransomware. The virus operates stealthily and persistently, allowing remote system control and the transfer of encrypted data while remaining undetected by security solutions.
