In a recent attack on a Fortune 100 financial-sector company, ransomware groups used a previously unknown Windows malware called PDFSider.
The malware was used as an entry point to execute further malicious software on systems within the company network. The discovery was made during an investigation into the incident by security specialists, according to BleepingComputer .
The attack did not begin with a technical feat, but with convincing social manipulation. Employees of the affected company were contacted by telephone by attackers posing as IT support. The goal was to persuade victims to install Microsoft Quick Assist so attackers could remotely view and control their systems. This approach increased the chances of success because the tool used is legitimate and permitted within many organizations.
During the incident investigation, researchers encountered PDFSider, a malware variant designed to maintain long-term, inconspicuous access. The software acts as a backdoor and exhibits characteristics normally seen in advanced, targeted attacks. Although PDFSider has been observed in attacks involving the Qilin ransomware, its use does not appear to be limited to a single group. Multiple criminal parties are now actively using the malware.
DLL side-loading
The malware is distributed via targeted phishing emails with a ZIP file attached. This archive contains a legitimate, digitally signed program from PDF24 Creator. The package also contains a malicious DLL that the program loads. This technique, known as DLL side-loading, allows malicious code to be executed without triggering security software alarms immediately.
Once active, PDFSider runs largely in memory, leaving little trace on the hard drive. The malware process collects system information, assigns each infected machine a unique identification number, and sends this data via DNS traffic to infrastructure controlled by the attackers. The communication is encrypted using modern cryptographic methods, which makes analysis and interception difficult.
In addition, the malware contains mechanisms to evade analysis. When PDFSider detects that it is running in a controlled environment or sandbox, it terminates itself prematurely. According to the researchers, all of this indicates that the software was not primarily developed for quick profit, but for silent, long-term presence within networks. This makes PDFSider particularly concerning for organizations that rely on traditional detection methods.
Also read: A backdoor RAT for macOS, Windows, and Linux only recently found