Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PDFSIDER malware delivered via DLL side-loading for encrypted backdoor access

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The PDFSIDER malware now matters because it uses DLL side-loading to install an encrypted backdoor that can evade endpoint defenses and sustain covert access. It is delivered through spear-phishing ZIP archives and a fake signed "PDF24 App" executable, making the initial infection chain harder to spot. The malware also uses in-memory execution, encrypted C2, and DNS exfiltration on port 53 to reduce forensic traces and preserve operator control. Its tradecraft is consistent with targeted APT-style operations rather than commodity malware.

Related Happenings

Zombie ZIP archive-header evasion technique

Technical Analysis
First: 10.03.2026 22:05 Last: 10.03.2026 22:05 Sources 1

About this happening: **Zombie ZIP** is a new archive-evasion technique that can let payloads slip past **AV and EDR scanning** by abusing ZIP header parsing, making malicious content harder to detect....

Open Happening

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

SystemBC long-running global proxy malware operation

Malware Activity
First: 04.02.2026 18:15 Last: 04.02.2026 18:15 Sources 1

About this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...

Open Happening

PDFSider malware deployed for stealthy Windows backdoor access

Malware Activity
First: 19.01.2026 23:00 Last: 19.01.2026 23:00 Sources 1

About this happening: The **PDFSider** malware is being used to deliver payloads on **Windows systems**, giving attackers a stealthy backdoor for **long-term covert access** and raising the risk of ran...

Open Happening

Timeline

  1. 19.01.2026 18:15 2 articles · 4mo ago

    Resecurity documents PDFSIDER malware

    Initial Disclosure

    Resecurity documents PDFSIDER as a newly identified malware strain for covert, long-term access to compromised Windows systems. The malware is delivered through spear-phishing ZIP archives and DLL side-loading via a fake signed "PDF24 App" executable, and it installs an encrypted backdoor while evading endpoint detection mechanisms. The described tradecraft includes in-memory execution, an encrypted command-and-control channel, AES-256-GCM authenticated encryption with the Botan cryptographic library, anti-VM and debugger checks, and DNS exfiltration on port 53 to leased VPS infrastructure.

    Show sources
    Open in new tab