37/69 Wednesday, January 21, 2026
Cybersecurity researchers from Resecurity have identified a new malware strain named PDFSider while investigating a security incident at a Fortune 100 financial company. The malware has reportedly been used by multiple threat actors-including the Qilin ransomware group-to gain initial access and maintain long-term persistence within compromised environments. The attack chain typically begins with social engineering, where attackers impersonate IT support staff or send spear-phishing emails to trick employees into installing remote access tools or opening malicious files. Experts note that PDFSider’s behavior demonstrates a level of sophistication comparable to nation-state APT tradecraft.
The core infection mechanism of PDFSider relies on DLL side-loading to evade detection. Attackers distribute a ZIP archive containing a legitimate, digitally signed installer of PDF24 Creator, allowing the payload to appear trustworthy to security controls. Alongside the legitimate installer, attackers embed a malicious DLL file (cryptbase.dll). When the user launches PDF24 Creator, the application unintentionally loads the attacker-controlled DLL, enabling malicious code execution directly in memory, leaving minimal forensic artifacts on disk.
What makes PDFSider particularly dangerous is its advanced evasion and self-protection capabilities. The malware actively checks whether it is running inside a sandbox or virtual machine and immediately terminates execution if such an environment is detected, hindering analysis. Additionally, command-and-control (C2) communication is tunneled over port 53 (DNS) and protected using AES-256-GCM encryption, ensuring confidentiality of exfiltrated data. This discovery highlights a growing trend in which cybercriminals increasingly adopt high-end offensive tooling traditionally associated with espionage operations to support ransomware campaigns and long-term data theft.
Source https://dg.th/t8onpd42ua
