PDFSIDER Discovered: New APT Malware Uses DLL Side-Loading to Evade Detection

A new and sophisticated malware variant dubbed PDFSIDER has been unearthed by researchers at Resecurity, marking the latest evolution in Advanced Persistent Threat (APT) tradecraft. This malware leverages a classic but increasingly popular technique—DLL side-loading—to slip past endpoint defenses and establish a covert, encrypted channel into victim networks.

The attack begins with a counterfeit library. PDFSIDER distributes itself via a malicious ZIP archive, often disguised as legitimate software components. Once inside, it uses a fake cryptbase.dll to hijack the execution flow of a trusted application.

According to the report from Resecurity, “PDFSIDER is a newly identified malware variant distributed through DLL side-loading, designed to covertly deploy a backdoor with encrypted command-and-control (C2) capabilities.”

By mimicking a legitimate system file, the malware effectively “hides in plain sight,” bypassing standard antivirus and Endpoint Detection and Response (EDR) systems that might otherwise flag an unknown executable.

What sets PDFSIDER apart is its robust approach to communication security. Unlike run-of-the-mill malware that might use simple encoding, this variant embeds a heavy-duty cryptographic library directly into its payload.

“The analyzed DLL contains a fully embedded Botan cryptographic library, configured for AES-256-GCM authenticated encryption – a strong indicator that the threat actors employ secure and structured C2 protocols.”

This configuration allows the attackers to operate an interactive, hidden command shell and exfiltrate data while remaining opaque to network traffic analysis. The malware blends “traditional cyber-espionage behaviors with modern remote-command functionality,” allowing operators to gather intelligence and execute shell commands without alerting the victim.

The discovery of PDFSIDER underscores a broader shift in the threat landscape. Attackers are increasingly moving away from complex, unstable zero-day exploits in favor of “living off the land” techniques like DLL side-loading, which abuse legitimate operating system features.

Resecurity notes that this aligns with tactics seen in other high-profile campaigns, such as those attributed to the China-linked group Mustang Panda (also known as LOTUSLITE) and widespread commodity malware distribution.

The report highlights that similar vectors have been used to deliver everything from Agent Tesla to Remcos RAT, exploiting valid binaries to deliver malicious payloads. “DLL sideloading vulnerability was exploited in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a broad range of commodity trojans and stealers.”

PDFSIDER represents a dangerous refinement of APT capabilities: stealthy, encrypted, and designed to evade modern detection. As Resecurity warns, the malware possesses “characteristics commonly associated with APT tradecraft, including stealthy execution, anti-VM checks, and encrypted communications.”

Related Posts:

• Warning: DLL Hijacking in Modern Malware Campaigns
• Stealth Cryptominer Uses USB LNK and DLL Side-Loading to Deploy “Smart Mining” Evasion
• Resecurity: Nuclear energy, oil and gas are top targets for ransomware groups in 2024
• DLL Side-Loading Strikes Again: Yokai Backdoor Bypasses Security
• Mandiant Uncovers USB-Borne Malware Campaign Deploying Cryptocurrency Miners