**PDFSIDER Malware: Exploiting DLL Side-Loading for AV and EDR Evasion**

Threat actors have been using a novel malware variant called PDFSIDER, which exploits the DLL side-loading technique to bypass antivirus (AV) and endpoint detection and response (EDR) systems. This sophisticated malware is designed to covertly deploy a backdoor with encrypted command-and-control (C2) capabilities.

According to Resecurity's investigation, PDFSIDER was identified during an analysis of a network intrusion attempt that was successfully prevented by a Fortune 100 energy corporation. The threat actors impersonated technical support staff and used social engineering tactics with QuickAssist in an attempt to gain remote access to the endpoint.

The attack vector employed by these threat actors involves using DLL side-loading, a technique that allows them to load malicious code into a legitimate process, making it difficult for security systems to detect. PDFSIDER uses a fake cryptbase.dll to bypass endpoint detection mechanisms and achieve its malicious goals.

Resecurity's HUNTER team has observed that PDFSIDER is already being actively used by several ransomware actors as a payload delivery method. This indicates the growing threat of PDFSIDER in the wild and highlights the need for organizations to take immediate action to prevent such attacks.

**How PDFSIDER Works**

PDFSIDER is designed to covertly deploy a backdoor with encrypted C2 capabilities. The malware uses a fake cryptbase.dll to bypass endpoint detection mechanisms, making it difficult for security systems to detect. Upon execution, PDFSIDER establishes communication with its C2 server and receives instructions from the operators.

The threat actors behind PDFSIDER have been using spear-phishing emails that direct victims to a ZIP archive attached to the message. The ZIP archive contains a legitimate EXE file labeled 'PDF24 App,' which is actually a payload delivery mechanism for PDFSIDER.

**DLL Side-Loading: A Growing Threat**

Resecurity's analysis has revealed a trend of targeted spear-phishing campaigns that favor reliable execution techniques such as DLL side-loading over exploit-based initial access to evade detection. This technique allows threat actors to load malicious code into a legitimate process, making it difficult for security systems to detect.

The use of DLL side-loading is not limited to PDFSIDER. Resecurity's analysis has identified several other malware campaigns that have employed this technique, including one attributed to LOTUSLITE and another targeting the U.S. government. The common thread among these campaigns is the use of geopolitical narratives as thematic lures.

**Conclusion**

The emergence of PDFSIDER highlights the growing threat of DLL side-loading in the wild. As organizations continue to face an evolving cybersecurity landscape, it is essential that they take proactive measures to prevent such attacks. By understanding the tactics and techniques employed by threat actors, organizations can better prepare themselves for future threats.

**Follow me on social media:**

* Twitter: @securityaffairs * Facebook: [link] * Mastodon: [link]

Stay informed about the latest cybersecurity news and trends!