PDFSIDER Malware – Exploitation of DLL Side-Loading for AV and EDR Evasion

Threat actors use PDFSIDER malware with social engineering and DLL sideloading to bypass AV/EDR, and ransomware gangs already abuse it.

Resecurity has learned about PDFSIDER during an investigation of a network intrusion attempt that was successfully prevented by a Fortune 100 energy corporation. The threat actor contacted their staff, impersonating technical support, and used social engineering tactics with QuickAssist in an attempt to gain remote access to their endpoint.

Considering DLL side-loading technique, this attack vector can be effectively exploited by advanced actors to bypass antivirus (AV) and endpoint detection and response (EDR) systems. According to our HUNTER team, PDFSIDER is also already being actively used by several ransomware actors as a payload delivery method.

PDFSIDER is a newly identified malware variant distributed through DLL side-loading, designed to covertly deploy a backdoor with encrypted command-and-control (C2) capabilities. The malware uses a fake cryptbase.dll to bypass endpoint detection mechanisms.

The threat actors launched this campaign using spear-phishing emails that directed victims to a ZIP archive attached to the message. The ZIP archive contains a legitimate EXE file, labeled ‘PDF24 App.’ PDF24 Creator is an application software by Miron Geek Software GmbH used for creating PDF files from any application and for converting files to the PDF format.

The malware is identified as an Advanced Persistent Threat (APT), having characteristics commonly associated with APT tradecraft, including stealthy execution, anti-VM checks, and encrypted communications. PDFSIDER blends traditional cyber-espionage behaviors with modern remote-command functionality, enabling operators to gather system intelligence and remotely execute shell commands covertly.

Threat actors may leverage various decoys to lure victims into opening malicious documents. In one of the recent episodes of the same campaign, the actor also used a fake document designed to appear as if authored by the PLA Intelligence Bureau of the Joint Staff Department (中央军委联合参谋部情报局).

For example, one of the recent malware campaigns identified by Acronis, targeting the U.S. government and attributed to LOTUSLITE, leveraged such a vector combined with geopolitical narratives between the United States and Venezuela as thematic lures. Infrastructure analysis and execution patterns show a moderate-confidence overlap with Mustang Panda tradecraft, including delivery style, loader–DLL separation, and infrastructure usage.

In another campaign identified by Trellix, DLL sideloading was used to distribute a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm. DLL sideloading vulnerability was exploited in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a broad range of commodity trojans and stealers.

Resecurity highlighted a trend of targeted spear-phishing, favoring reliable execution techniques such as DLL sideloading over exploit-based initial access to evade detection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PDFSIDER)