PDFSider: New Windows Backdoor Used in a Fortune 100 Finance Intrusion to Enable Long-Term, Encrypted Remote Access

A Fortune 100 finance company faced a targeted intrusion attempt where attackers combined social engineering (including "tech support" impersonation and Quick Assist abuse) with a stealthy backdoor called PDFSider. The malware is delivered through DLL side-loading using a legit, digitally signed PDF24 Creator executable paired with a malicious cryptbase.dll. Once running, it operates largely in memory, executes commands through hidden cmd.exe pipes, and exfiltrates system data and command output over DNS (port 53) using AES-256-GCM encrypted communications.

What Happened

Incident responders at Resecurity say they identified PDFSider while investigating an intrusion attempt against a Fortune 100 organization in the finance sector. The initial access playbook blends two "low-friction" tactics that often evade user suspicion:

• Social engineering: callers impersonating technical support to guide employees into enabling remote access workflows (including Microsoft Quick Assist)
• Spearphishing: emails delivering a ZIP archive designed to look legitimate enough to be opened and executed

This is the kind of hybrid access path that's difficult to defend with a single control: it mixes user manipulation with a technically reliable execution technique.

Infection Chain: Signed EXE + Malicious DLL Side-Loading

PDFSider's delivery is built around a classic trust mismatch:

1. Victim receives a spearphishing email with a ZIP attachment
2. ZIP contains a legitimate, signed executable for PDF24 Creator (PDF tool by Miron Geek Software GmbH)
3. The same folder includes a malicious cryptbase.dll
4. When the signed EXE runs, Windows loads the attacker's DLL from the application directory (DLL search order), resulting in code execution via DLL side-loading

This technique matters because it often bypasses initial reputation checks: security tools may treat the signed parent binary as benign while the malicious DLL "rides along" into execution.

What PDFSider Does on the Host

Resecurity describes PDFSider as a stealthy backdoor optimized for long-term access:

• Runs primarily in memory, aiming to leave minimal disk artifacts
• Executes commands via anonymous pipes, launching hidden command shells (e.g., cmd.exe /C ... with no visible window)
• Generates a unique host identifier and collects system profiling data
• Exfiltrates data to attacker infrastructure over DNS (port 53), a channel many networks allow by default for resolver traffic

The combination of in-memory behavior, signed-parent execution, and DNS-based data movement is a practical evasion stack for environments with strong perimeter controls but inconsistent endpoint telemetry.

C2 Protection: Botan + AES-256-GCM

PDFSider protects its command-and-control traffic using a structured crypto implementation:

• Embedded Botan 3.0.0 cryptographic library
• AES-256-GCM for authenticated encryption
• Decrypts incoming data in memory to reduce forensic footprint

This is not "commodity stealer" behavior. It's a design that prioritizes confidentiality and integrity of operator traffic, which supports the "long-term backdoor" use case.

Anti-Analysis and Sandbox Evasion

To avoid detonation in analysis environments, PDFSider reportedly uses multiple anti-analysis checks such as:

• RAM size checks (low-memory systems often correlate with sandboxes)
• Debugger detection and early exit behavior

These controls reduce the chance of automated systems capturing full behavior and produce delayed or partial telemetry during triage.

Ransomware Ecosystem Links (Qilin and Beyond)

Resecurity told BleepingComputer the malware has been observed in Qilin ransomware activity and that multiple ransomware actors appear to be using it as a payload delivery or persistence component. This positioning aligns with the current ransomware supply chain: specialized initial access and stealth tooling that later hands off to disruptive monetization.

Indicators of Compromise (IOCs) Worth Hunting

Below are high-signal artifacts reported by Resecurity that are practical for triage and threat hunting.

File and Hash Indicators

Network Indicators

Detection Guidance: What to Look for in Logs

If you're hunting for PDFSider or similar signed-loader side-loading chains, prioritize these patterns:

• A signed PDF24 executable running from a user download or temp location (not standard install paths)
• The same process loading cryptbase.dll from its local directory (not from System32)
• Short bursts of cmd.exe /C spawned without a visible console window shortly after the PDF24 process starts
• Unusual DNS traffic volume or high-entropy DNS payload patterns from the affected endpoint
• Any spike in Quick Assist usage that correlates with suspicious inbound "support" activity

Mitigation Checklist (Practical and Fast)

• Block/allowlist remote assistance tools (Quick Assist) by policy; restrict to helpdesk-only workflows and enforce approvals
• Enforce application control (WDAC/AppLocker) to prevent signed binaries running from user-writable locations
• Add detection for side-loading behavior (unsigned DLL loaded by a signed binary from the same folder)
• Monitor and constrain DNS egress (especially direct-to-internet DNS from endpoints); route through controlled resolvers and alert on anomalies
• Improve email controls: block ZIP attachments from unknown senders where feasible and tighten "first seen" executable handling

PDFSider represents the current state of targeted intrusion tooling: a carefully engineered backdoor that leverages trust in signed software, operates in memory to minimize forensic artifacts, and uses DNS as a covert channel. The combination of social engineering entry points and technical stealth makes this a serious threat for organizations with valuable data and limited visibility into endpoint behavior.

For security teams, the key lessons are familiar but urgent: signed binaries are not inherently safe when loaded from user-controlled locations, DNS egress deserves monitoring beyond basic blocking, and remote assistance tools need governance to prevent abuse. The connection to Qilin and other ransomware operations underscores that catching this kind of backdoor early can prevent a much larger incident downstream.