PDFSider Backdoor Hits Fortune 100 Firm, Linked to Qilin

Security researchers at Resecurity discovered a new Windows backdoor called PDFSider during incident response at a Fortune 100 financial services company. The malware uses DLL sideloading to hijack a legitimate PDF application, then establishes encrypted command-and-control communications designed to evade enterprise security controls.

Resecurity reports that PDFSider is "actively used" by multiple ransomware groups, with confirmed deployment in Qilin ransomware attacks. The backdoor's sophistication—anti-VM checks, memory-only execution, and AES-256 encrypted C2—positions it as a tool for extended covert access rather than quick smash-and-grab operations.

How PDFSider Works

The infection chain begins with spearphishing. Attackers send targeted emails containing ZIP archives with a legitimate, digitally signed executable labeled "PDF24 App"—software from Miron Geek Software GmbH that users would recognize as a PDF creation tool.

Alongside the legitimate executable sits a malicious DLL named cryptbase.dll. When the user runs the PDF application, Windows loads the attacker's DLL instead of the real system library. This DLL sideloading technique exploits how Windows searches for libraries, allowing malicious code to execute with the privileges and trust level of the signed application.

The technique isn't new, but PDFSider's implementation is refined. The legitimate signature helps the package bypass security tools that flag unsigned executables.

Memory-Only Execution

PDFSider loads directly into memory without writing the main payload to disk. This minimizes forensic artifacts and complicates incident response. The backdoor uses anonymous pipes to launch commands through CMD, avoiding telltale process trees.

Each infected host receives a unique identifier. The malware collects system information and exfiltrates it to attacker infrastructure over DNS on port 53—traffic that often passes through firewalls unmonitored.

For command-and-control encryption, PDFSider employs the Botan 3.0.0 cryptographic library with AES-256-GCM and Authenticated Encryption with Associated Data (AEAD). All C2 communication decrypts in memory, leaving no cleartext payloads for defenders to analyze.

Aggressive Anti-Analysis

PDFSider implements multiple environment checks designed to detect security researcher sandboxes and virtual machines:

RAM validation: The malware calls GlobalMemoryStatusEx to check available system memory. Automated analysis environments typically run with limited RAM—a dead giveaway. Systems with insufficient memory trigger early termination.

Debugger detection: Standard anti-debugging checks look for attached debuggers and terminate if found.

Multi-stage validation: The malware runs several validation routines before fully activating, filtering out analysis environments at multiple stages.

These techniques aren't unique to PDFSider, but their combination with memory-only execution and encrypted C2 creates a backdoor that evades many detection mechanisms.

Ransomware Connection

Resecurity confirmed PDFSider deployment in Qilin ransomware incidents. The backdoor serves as a persistent access mechanism—attackers establish footholds with PDFSider, then deploy ransomware payloads later.

But Qilin isn't the only user. Resecurity notes the malware is "actively used by multiple ransomware actors." The backdoor appears to function as shared tooling across the ransomware ecosystem, possibly offered through underground markets or shared among allied criminal groups.

This matches broader trends in ransomware operations. Initial access, persistent backdoors, and ransomware deployment increasingly come from different actors or tools, with specialization at each stage.

Espionage or Crime?

Resecurity assesses PDFSider as "closer to espionage tradecraft than financially motivated malware." The technical sophistication, emphasis on stealth over speed, and targeting of a Fortune 100 financial firm suggest capabilities beyond typical ransomware affiliates.

The targeting is notable too. Fortune 100 financial services companies have mature security operations. Successfully compromising such an organization requires tools and techniques that can evade advanced detection capabilities.

Whether PDFSider originated from state-sponsored developers who later shared it with criminal actors, or whether sophisticated criminals developed it independently, remains unclear. The line between state and criminal cyber operations continues to blur.

Detection Challenges

PDFSider presents significant detection challenges:

• The initial executable carries a legitimate digital signature
• Malicious activity occurs under the context of a trusted application
• Memory-only execution leaves minimal disk artifacts
• DNS-based C2 blends with normal traffic
• Encrypted communications prevent content inspection

Organizations should monitor for:

1. Unsigned DLLs loading alongside signed PDF applications
2. PDF applications making unusual DNS queries
3. Anomalous command-line activity spawned from PDF utilities
4. Memory-resident code without corresponding disk artifacts

Resecurity hasn't published full indicators of compromise but notes that "most identified artifacts evade popular AV and EDR products." Organizations concerned about PDFSider exposure should contact the company directly for additional detection guidance.

Why This Matters

PDFSider represents the professionalization of ransomware tooling. This isn't hastily assembled malware—it's a purpose-built backdoor with anti-analysis capabilities that rival state-sponsored implants. Its adoption by multiple ransomware groups suggests sophisticated tools are becoming more widely available across the criminal ecosystem.

For defenders, the message is clear: signature-based detection isn't enough. Memory forensics, behavioral analysis, and network traffic inspection become essential when attackers can hide behind legitimate applications and encrypted channels.