Cybersecurity researchers recently identified a sophisticated malware strain called PDFSider being used by ransomware groups to infiltrate Fortune 100 financial firms through a combination of social engineering and technical exploits. The attack involves impersonating technical support to trick employees into installing remote assistance tools, which then facilitates the deployment of a stealthy backdoor designed for long-term network access.

Attackers initiate their campaign by sending spearphishing emails containing a ZIP archive that appears to be a legitimate software package for PDF24 Creator. This archive includes a genuine, digitally signed executable file alongside a malicious library file. By using a technique known as DLL side-loading, the legitimate program inadvertently runs the malicious code when it starts up. This method allows the malware to bypass traditional endpoint detection systems because the primary application being launched is trusted and carries a valid digital signature.

Once the malicious DLL is active, it operates with the same permissions as the host application and functions primarily in the system's memory to avoid leaving a trail on the physical disk. This stealthy approach is characteristic of advanced persistent threat tradecraft, as it makes forensic analysis much more difficult. The malware establishes a persistent connection to the attackers by using anonymous pipes to execute commands and assigning each infected machine a unique identification number for tracking purposes.

The communication between the infected system and the command-and-control server is highly secured to prevent interception. PDFSider utilizes the Botan cryptographic library and AES-256-GCM encryption to protect the data it exfiltrates, which typically includes detailed system information. All incoming instructions are decrypted directly in memory, ensuring that sensitive command strings never touch the hard drive. Data is sent over DNS port 53, a common networking port that is frequently left open or less strictly monitored by corporate firewalls.

While this specific malware has been linked to the Qilin ransomware group, researchers have observed multiple different threat actors adopting the tool for their own operations. The rise of AI-powered coding has reportedly made it easier for these criminals to identify vulnerable software like PDF24 that can be exploited for side-loading. In some instances, the attackers have even used decoy documents tailored to specific targets, such as files appearing to originate from government agencies, to increase the likelihood of a successful infection.

This evolution in ransomware tactics shows a shift toward more disciplined, state-sponsored styles of attack rather than simple mass-scale automation. By mimicking technical support and leveraging trusted software vulnerabilities, attackers can gain a foothold in high-value targets within the finance sector. As long-term backdoors like PDFSider become more common, organizations are forced to look beyond signature-based security and focus on behavioral analysis to catch malicious activity occurring within legitimate processes.

Source: New PDFsider Windows Malware Deployed On Fortune 100 Network