PDFSIDER

PDFSIDER is a newly identified Windows backdoor and payload loader distributed primarily via DLL side-loading. Reported delivery involved spear-phishing emails carrying a ZIP archive containing a legitimate, digitally signed PDF24 Creator/PDF24 App executable and a malicious fake cryptbase.dll placed alongside it so that PDF24.exe loads the attacker-controlled DLL. Resecurity also reported related social-engineering activity in which the actor impersonated technical support and attempted to use Microsoft QuickAssist for remote access. The malware is described as covertly deploying a backdoor with encrypted command-and-control, operating largely in memory to minimize disk artifacts, gathering system information, generating a unique host identifier, and providing a hidden interactive command shell by launching cmd.exe with CREATE_NO_WINDOW and anonymous pipes. Reported anti-analysis features include anti-VM checks such as low-RAM detection via GlobalMemoryStatusEx and debugger detection via IsDebuggerPresent. The analyzed samples embed the Botan cryptographic library and use AES-256-GCM/AEAD to protect C2 traffic; multiple reports state communications and exfiltration occurred over DNS/port 53. Resecurity characterized the tradecraft as APT-like and more aligned with espionage-style operations than typical opportunistic malware, and multiple summaries describe a China-linked espionage campaign with moderate-confidence overlap to Mustang Panda tradecraft. At the same time, Resecurity reported PDFSIDER is already being used by multiple ransomware actors, including reporting that it has been seen in Qilin ransomware attacks, as a payload delivery method. Reported targets included Fortune 100 companies in the finance and energy sectors. High-confidence IOCs directly mentioned in the content include malicious Cryptbase.dll MD5 298cbfc6a5f6fa041581233278af9394 and clean Pdf24.exe MD5 a32dc85eee2e1a579199050cd1941e1d.