BLUF

 A new malware family, PDFSider, is being used in targeted attacks (including by ransomware groups) via DLL sideloading in the legitimate PDF24 Creator application, providing APT-grade espionage capabilities.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by DLL sideloading attacks leveraging trusted productivity software as an initial access and persistence mechanism:

·       Low-end total cost: $1.2M – $2.5M

o   Limited spread, rapid detection, no confirmed data access

·       Typical expected range: $2.5M – $6.5M

o   Enterprise-wide investigation, credential resets, operational disruption

·       Upper-bound realistic scenarios: $6.5M – $12M

o   Extended dwell time, regulatory exposure, ransomware follow-on activity

Key Cost Drivers

·       Scope of endpoint exposure through widely deployed trusted software

·       Time to detection of covert, fileless backdoor activity

·       Presence of regulated or sensitive data on affected systems

·       Degree of credential compromise and required identity reset

·       Operational reliance on affected user workstations or applications

Targeted Sectors

·       Manufacturing

·       Finance

·       Government.

Countries

·       Global

Date of First Reported Activity

·       January 19, 2026

Date of Last Reported Activity Update

·       January 20, 2026

APT

This has not been associated with APT groups at this time.

Associated Criminal Organizations

·       Qilin ransomware affiliates

IOCs

File-Based Indicators

The malware is frequently bundled in a ZIP archive with the following file names and associations:

·       Legitimate Executable

o   PDF24.exe or PDF24 App

§  Digitally signed by Miron Geek Software GmbH).

·       Malicious DLL

o   Cryptbase.dll

§  Renamed malicious library placed in the same directory as the legitimate executable

·       Alternative Hijacked DLLs

o   Recent related campaigns have also utilized libcares-2.dll

§  Paired with ahost.exe

o   Libcrypto-1_1.dll

§  Paired with OpenVPN clients

·       Common Malware Families Delivered

o   Beyond the PDFSIDER backdoor

§  This technique has been used to deploy Agent Tesla, Lumma Stealer, and Qilin ransomware payloads.

Network & Command-and-Control (C2)

·       Protocol

o   Uses encrypted communications via the Botan cryptographic library.

·       C2 Traffic

o   Observed exfiltrating data via DNS port 53 to attacker-controlled VPS servers.

·       Interactivity

o   Provides an interactive, hidden command shell for remote execution.

Behavioral & System Indicators

·       Process Injection

o   Injects malicious code into system processes like tracert.exe.

·       Evasion Tactics

o   Uses CREATE_NO_WINDOW flags to ensure no visible console appears.

o   Performs anti-VM and anti-sandbox checks using GlobalMemoryStatusEx to detect low-RAM environments.

·       Persistence

o   Creates automatic execution via .lnk files in the user's AppData\Local\Temp directory.

Tools Used

·       Legitimate Executable

o   PDF24.exe

§  Digitally signed by Miron Geek Software GmbH

·       Malicious DLL

o   Cryptbase.dll

§  Side-loaded by the legitimate EXE

·       Cryptographic Library

o   Botan

o   Used for AES-256-GCM authenticated encryption of C2 traffic

·       Remote Access

o   Microsoft Quick Assist

CVEs

Not applicable.

The campaign leveraged weaknesses in how PDF24 Creator searches for DLLs.

Nessus ID

·       Not applicable

Mitigation

·       Application Whitelisting: Enforce application allowlisting and restrict execution from temporary or user-profile directories.

·       Software Updates: Ensure PDF24 Creator and other productivity tools are updated to versions that utilize absolute paths for DLL loading.

·       Microsoft Update: Deploy January 2026 security updates (e.g., KB5077744) to address broader OS vulnerabilities.

Malware Names

PDFSider

LotusElite (variant)

Malware Samples

PDFSider

sha256

2672b6688d7b32a90f9153d2ff607d6801e6cbde61f509ed36d0450745998d58

Malware Family

·       Backdoor / Remote Access Trojan (RAT) with APT-grade capabilities

Known Decoding Key

·       No specific "master" key is publicly disclosed; encryption is likely unique to each session/C2 channel.

Verdict

·       Highly Malicious / Active Threat (Detected in targeted attacks on Fortune 100 firms and by Qilin ransomware group)

Primary Objectives

·       Long-term, persistent, and covert access to Windows systems.

·       System information harvesting and reconnaissance.

·       Remote command execution (RCE)

·       Serving as a loader/delivery vehicle for further ransomware payloads.

Threat Actor Context

·       Initially identified in attacks targeting a Fortune 100 firm in the finance sector.

·       Utilized by multiple threat actors, including Qilin ransomware, to launch payloads.

·       Displays tactics, techniques, and procedures (TTPs) consistent with Advanced Persistent Threats (APTs), despite being used by ransomware groups.

Behavior Analysis

Delivery Mechanism

·       Spear-phishing emails containing a ZIP file with a legitimate, digitally signed PDF24 Creator executable and a malicious cryptbase.dll.

Infection Technique

·       DLL side-loading (the legitimate app loads the rogue DLL).

Execution

·       Primarily runs in memory (fileless), leaving minimal trace on the hard drive.

Evasion

·       Uses CREATE_NO_WINDOW to hide execution, performs RAM size checks, and debugger detection to evade sandboxes.

C2 Communication

·       Encrypted via Botan 3.0.0/AES-256-GCM; data is exfiltrated over DNS (port 53).

Capabilities

·       Creates a hidden

·       Interactive command shell

·       Allowing remote actors to run arbitrary commands.

LOTUSLITE

The contemporary backdoor variant of LotusElite

sha256

43b0ac119ff957bb209d86ec206ea1ec3c51dd87bebf7b4a649c7e6c7f3756e7

Malware Family

·       Mustang Panda (also classified under families like Earth Preta or HoneyMyte).

Known Decoding/Encryption Key

·       Typically employs unique AES-256 keys generated per victim session for payload encryption, which are then protected by the actor’s RSA public key.

Verdict

·       Malicious (State-sponsored Cyberespionage).

Primary Objectives

·       Targeting U.S. government and policy-related entities.

·       Geopolitical intelligence gathering, specifically around U.S.-Venezuela relations as of early 2026.

·       Maintaining long-term persistent access within sensitive networks.

Threat Actor Context

·       Attributed with moderate confidence to the Chinese state-sponsored group Mustang Panda (aka Twill Typhoon). The actor is known for using politically themed lures to gain initial access.

Behavior Analysis

·       Initial Vector: Distributes ZIP archives (e.g., "US now deciding what's next for Venezuela.zip") containing malicious DLLs.

Persistence

·       Extensively utilizes DLL side-loading techniques to bypass traditional detection mechanisms.

Capabilities

·       Custom C++ backdoor that spawns a remote shell, enabling Remote Code Execution (RCE).

Post-Exploitation

·       Capable of enumerating, creating, and modifying local files while exfiltrating command output in real-time.

TTPs

Initial Access

·       T1566.001 Phishing: Spearphishing Attachment

o   The campaign begins with spear-phishing emails containing a malicious ZIP archive.

·       T1195.002 Supply Chain Compromise

o   Compromise Software Dependencies and Development Tools: Attackers exploit vulnerabilities in legitimate, trusted software distributions to deliver payloads.

Execution

·       T1204.002 User Execution

o   Malicious File: Victims must run the legitimate, signed executable (e.g., PDF24 App.exe) contained within the ZIP archive to trigger the infection chain.

·       T1059.003 Command and Scripting Interpreter

o   Windows Command Shell: Once the backdoor is established, it executes hidden cmd.exe /C commands to manage system processes.

Defense Evasion

·       T1574.002 Hijack Execution Flow

o   DLL Side-Loading: This is the core technique where a malicious cryptbase.dll is placed next to a legitimate application (like PDF24.exe), which then automatically loads the attacker's DLL.

·       T1497.001 Virtualization/Sandbox Evasion System Checks

o   PDFSIDER performs environment detection by checking available RAM (via GlobalMemoryStatusEx) and VHD boot status to avoid analysis in sandboxes or virtual machines.

·       T1622 Debugger Evasion

o   The malware uses the IsDebuggerPresent API to detect if it is being analyzed by security researchers.

·       T1027.003 Obfuscated Files or Information

o   Steganography: PDFSIDER operates primarily in-memory to minimize disk artifacts and bypass traditional antivirus/EDR detection.

Discovery

·       T1082 System Information Discovery

o   The malware gathers system intelligence, including the computer name, username, and active Process IDs (PIDs).

Command and Control (C2)

·       T1573.002 Encrypted Channel

o   Asymmetric Cryptography: PDFSIDER uses the Botan cryptographic library to implement AES-256-GCM encryption for its custom Winsock-based C2 communications.

·       T1071.001 Application Layer Protocol Web Protocols

o   The backdoor maintains an interactive, hidden command shell to exfiltrate data and receive remote instructions.

Suggested rules / potential hunts

Suricata

Monitor for unusually high volumes of DNS queries or large TXT records, as PDFSider uses DNS port 53 for data exfiltration.

alert dns any any -> any 53 (msg:"ET MALWARE PDFSider DNS Exfiltration Pattern"; dns_query; content:"."; pcre:"/[a-zA-Z0-9]{30,}/"; classtype:command-and-control; sid:2026001; rev:1;)

Detect unusual ICMP traffic that doesn't follow standard echo request/reply patterns, as the malware utilizes a covert ICMP channel.

suricata

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PDFSider Possible ICMP C2"; itype:8; dsize:>100; classtype:trojan-activity; sid:2026002; rev:1;)

SentinelOne                                                  

Search for malicious DLL placement:

EventType = "File Creation" AND FileFullName ContainsCIS "cryptbase.dll" AND FileFullName Does Not ContainCIS "System32"

Identify PDF24 processes loading DLLs from unusual directories:

ProcessName = "PDF24.exe" AND ModulePath Not ContainsCIS "System32" AND ModuleName = "cryptbase.dll"

PDFSIDER initiates an interactive command shell via cmd.exe using the CREATE_NO_WINDOW flag.

Identify hidden shell execution

SrcProcName = "PDF24.exe" AND TgtProcName = "cmd.exe" AND TgtProcCmdLine ContainsCIS "/C" AND TgtProcCmdLine ContainsCIS "CREATE_NO_WINDOW"

Cross-process handle hunting

TgtProcDisplayName ContainsCIS "PDF24" AND EventType = "Open Remote Process Handle" AND SrcProcName Not In ("explorer.exe", "svchost.exe")

Hunt for unusual encrypted traffic from productivity tools

ProcessName = "PDF24.exe" AND EventType = "Network Connection" AND (NetDnsResponse ContainsCIS "C2_Domain_Here" OR NetConnDirection = "Outgoing")

Search for anonymous pipes (In-memory execution):

EventType = "Named Pipe" AND PipeName Contains "anonymous"

Splunk

Look for unsigned DLLs or those with spoofed company names (like "Microsoft") being loaded from unexpected locations.

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7

| where NOT match(Image, "(?i)C:\\Windows\\System32|C:\\Windows\\SysWOW64|C:\\Program Files")

| where ImageLoaded="cryptbase.dll"

| stats count by host, Image, ImageLoaded

The malware is delivered via ZIP archives containing legitimate software, monitor for file creation events where an executable and a DLL are written simultaneously to a temporary or user-profile folder.

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11

| search TargetFilename="*.exe" OR TargetFilename="*.dll"

| stats dc(TargetFilename) as file_count values(TargetFilename) by host, Image, _time

| where file_count >= 2

Delivery Method

Spear-phishing emails containing a ZIP archive with a legitimate PDF24 Creator executable and a malicious DLL (cryptbase.dll). Attackers also use social engineering via Microsoft Teams or Quick Assist.

References

WebRoot Community

·       hxxps://community.opentextcybersecurity.com/ransomware-spotlight-226/new-pdfsider-windows-malware-deployed-on-fortune-100-firm-s-network-363212

Cyber Press

·       hxxps://cyberpress.org/pdfsider-malware-bypass-antivirus-edr-defenses

InfoSecuriity Magazine

·       hxxps://www.infosecurity-magazine.com/news/pdfsider-anti-vm-checks-hidden/

Security Week

·       hxxps://www.securityweek.com/apt-grade-pdfsider-malware-used-by-ransomware-groups

VirusTotal

·       hxxps://www.virustotal.com/gui/file/2672b6688d7b32a90f9153d2ff607d6801e6cbde61f509ed36d0450745998d58

·       hxxps://www.virustotal.com/gui/file/43b0ac119ff957bb209d86ec206ea1ec3c51dd87bebf7b4a649c7e6c7f3756e7