Headline
Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor
Resecurity has identified PDFSIDER malware that exploits the legitimate PDF24 App to covertly steal data and allow remote access. Learn how this APT-level campaign targets corporate networks through spear-phishing and encrypted communications.
A new cybersecurity threat has been discovered that exploits a common office tool to create a backdoor. The malware, known as PDFSIDER, was recently identified by the research firm Resecurity after a Fortune 100 corporation successfully blocked an attempt to break into its network.
This investigation, which was shared with Hackread.com, reveals a highly organised campaign designed to evade modern security systems.
****How Legitimate Software is Being Manipulated****
The attack starts with spear-phishing emails that are highly targeted messages that trick victims into downloading a ZIP file. Inside it is a legitimate program called PDF24 App, created by Miron Geek Software GmbH. While the app itself is a real tool for managing documents, the hackers exploit its vulnerabilities using a technique called DLL side-loading.
In this case, this method works by placing a malicious file named cryptbase.dll in the same folder as the real PDF24.exe. When the user opens the program, the computer is tricked into loading the attacker’s code instead of the real system file. The malware runs entirely in the system’s memory, which allows it to bypass traditional antivirus tools.
To keep the victim unaware, researchers noted that the malware uses a hidden command string labelled CREATE_NO_WINDOW, ensuring that “no visible console appears” on the screen while it operates.
****A Tool Built for Espionage****
According to Resecurity’s blog post, PDFSIDER is classified as an Advanced Persistent Threat (APT). This means it is built for long-term spying rather than a quick hit. The malware is also very cautious; it uses the GlobalMemoryStatusEx function to check the system’s RAM. If it detects low memory (a common sign of a sandbox used by security experts for testing), it will trigger an early exit to stay hidden.
Once active, the malware uses the Botan 3.0.0 cryptographic library to secure its communications. It uses AES-256-GCM encryption to lock up the data it steals, creating a “unique ID” for your computer and sending the output back to a private VPS server via DNS port 53.
Malware analysis (source: Resecurity)
****Links to Known Hacking Groups****
The campaign has shown a high level of persistence. In one recent case, the hackers even tried “impersonating technical support” using QuickAssist to gain remote access. They have also used fake documents designed to look like the PLA Intelligence Bureau authored them to lure in victims.
Fake document from the PLA Intelligence Bureau of the Joint Staff Department (中央军委联合参谋部情报局) (Source: Resecurity)
Researchers believe this style of attack overlaps with groups like Mustang Panda, which was found using the new LOTUSLITE backdoor to spy on the US government using a Venezuela news-themed lure.
While this specific investigation focused on a single corporate target, the Resecurity HUNTER team warned that several ransomware groups are now using PDFSIDER as a way to deliver their own payloads. This makes the discovery a vital piece of information for anyone looking to protect their online workspace.