Ethical Hacking News
Resecurity has identified a new, highly sophisticated malware strain known as PDFSider that was used by ransomware attackers to gain remote access into the network of a Fortune 100 firm in the finance sector. The malware features advanced encryption methods and anti-analysis mechanisms to maintain long-term covert access. Experts warn that the growing sophistication of cyber threats demands increased vigilance from companies.
Cybersecurity experts have identified a new malware strain called PDFSider, which has been used by ransomware attackers to gain remote access into a Fortune 100 firm's Windows systems. The attackers used social engineering tactics and spearphishing emails to trick employees into installing Microsoft's Quick Assist tool. PDFSider features anti-analysis mechanisms, encryption methods (AES-256-GCM), and stealthy backdoor functionality for long-term access to the system. The malware protects its C2 exchange using AES-256-GCM encryption and decrypting incoming data in memory to minimize its footprint on the host. PDFSider is considered closer to "espionage tradecraft" than financially motivated malware, indicating long-term covert access and flexible remote command execution.
Cybersecurity experts at Resecurity have identified a new, highly sophisticated malware strain known as PDFSider that has been deployed on the network of a Fortune 100 firm in the finance sector. This malicious software was used by ransomware attackers to gain remote access into the company's Windows systems.
According to the researchers, the attackers employed social engineering tactics to trick company employees into installing Microsoft's Quick Assist tool, which allowed them to gain access to the affected system. The malware was delivered via spearphishing emails that contained a ZIP archive with a legitimate, digitally signed executable for the PDF24 Creator tool from Miron Geek Software GmbH. However, the package also included a malicious version of a DLL (cryptbase.dll), which the application required to function properly.
When the executable ran, it loaded the attacker's DLL file using a technique known as DLL side-loading, providing code execution on the system. The researchers note that PDFSider has been seen deployed in Qilin ransomware attacks and is already "actively used" by multiple ransomware actors to launch their payloads.
The malware features several anti-analysis mechanisms, such as RAM size checks and debugger detection, to exit early when signs of running in a sandbox are detected. It also includes various encryption methods, including AES-256-GCM for encryption and Authenticated Encryption with Associated Data (AEAD) in GCM mode for authentication.
Resecurity researchers describe PDFSider as a stealthy backdoor designed to provide long-term access to the affected system. The malware loads into memory using anonymous pipes to launch commands via CMD, leaving minimal disk artifacts behind. It also assigns a unique identifier to infected hosts and collects and exfiltrates system information to an attacker's VPS server over DNS (port 53).
Furthermore, PDFSider protects its command-and-control (C2) exchange by using the Botan 3.0.0 cryptographic library and AES-256-GCM for encryption, decrypting incoming data in memory to minimize its footprint on the host.
The researchers conclude that PDFSider is closer to "espionage tradecraft than financially motivated malware," indicating that it was designed to maintain long-term covert access and provide flexible remote command execution and encrypted communication. The discovery of this new malware strain highlights the growing sophistication of ransomware attacks and the need for robust cybersecurity measures.
In a statement, Resecurity noted that finding vulnerable software that can be exploited is becoming easier for cybercriminals due to the rise of AI-powered coding. This trend underscores the importance of keeping software up-to-date and implementing effective security protocols to prevent such breaches.
The incident highlights the importance of vigilance in today's digital landscape. As cybersecurity threats continue to evolve, it is crucial that companies prioritize their cybersecurity measures and invest in robust threat detection and response systems to mitigate the impact of such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Threat-Emerges-PDFSider-Malware-Spotted-in-Fortune-100-Firms-Network-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-pdfsider-windows-malware-deployed-on-fortune-100-firms-network/
Published: Mon Jan 19 15:09:27 2026 by llama3.2 3B Q4_K_M
