PDFSIDER Malware Actively Evades EDR and AV Tools

A recently discovered backdoor called PDFSIDER allows hackers to take long-term control of Windows systems while evading numerous antivirus and endpoint detection and response programs.

It conceals its existence using reliable software and robust encryption, enabling hackers to execute instructions, examine the network, and penetrate deeper into targeted locations. Focused spear phishing is the foundation of the PDFSIDER campaign.

Emails containing a ZIP archive containing a valid PDF24 Creator executable, signed with a valid certificate, and various companion files are sent to victims.

A secret payload is activated in place of any noticeable document viewer when the user runs the trusted app, initiating the breach with virtually no outward indications.

PDFSIDER was discovered by Resecurity experts after an attempted breach into a Fortune 100 company that was thwarted prior to data loss.

According to their analysis, numerous ransomware gangs and sophisticated actors are already using the malware as a dependable payload loader that can evade security measures. Compared to smash-and-grab crime, the tool’s design more closely resembles espionage tactics.

Because PDFSIDER combines a legitimate application, a phony Windows cryptbase.dll, and encrypted command and control traffic over DNS port 53, the impact on defenders is severe.

It significantly reduces the effectiveness of standard signature-based detection and sandbox testing by operating mostly in memory, looking for virtual machines and debuggers, and avoiding noisy exploit chains.

When the victim launches the trojanized PDF24 executable from the supplied archive, the infection process starts. The software loads their library rather than the actual system file because the attackers have placed a malicious cryptbase.dll in the same location that violates DLL side loading regulations.

After loading, PDFSIDER creates an in-memory backdoor loop, collects system information, initializes Winsock, and creates a unique host identifier.

The malware then uses the CREATE_NO_WINDOW flag to start a secret cmd.exe process and construct anonymous pipes.

The output is recorded and transmitted over an AES 256 GCM encrypted channel powered by the Botan library, and any commands supplied by the operators are carried out without the need for a console window.

Security tools only see DNS requests that appear normal, while attackers have complete remote shell control because all traffic is heavily secured and never written to disk.