CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PDFSIDER Malware Facilitates Long-Term, Covert System Access

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Researchers have identified a new malware strain, PDFSIDER, designed for long-term, covert access to compromised systems. Delivered via DLL side-loading, it installs an encrypted backdoor and evades endpoint detection mechanisms. The malware exhibits advanced capabilities, including stealthy execution, secure communications, and anti-analysis checks, aligning it with APT operations. The infection chain begins with spear-phishing emails containing a ZIP archive with a legitimate, digitally signed executable that impersonates PDF creation software. Once active, PDFSIDER initializes networking components, gathers host details, and establishes an encrypted command-and-control (C2) channel using AES-256-GCM encryption. The malware includes anti-VM checks to detect analysis environments and exits early if thresholds are not met. It also employs DNS traffic on port 53 for data exfiltration to a leased VPS infrastructure. Resecurity assessed PDFSIDER as a targeted tradecraft rather than a mass-delivered threat, with most artifacts evading popular AV and EDR products. PDFSIDER has been deployed in Qilin ransomware attacks and is actively used by multiple ransomware actors. The malware loads into memory, leaving minimal disk artifacts, and uses anonymous pipes to launch commands via CMD. Infected hosts are assigned a unique identifier, and system information is exfiltrated to the attacker’s VPS server over DNS (port 53). The malware uses the Botan 3.0.0 cryptographic library and AES-256-GCM for encryption, decrypting incoming data in memory to minimize its footprint on the host.

Timeline

  1. 19.01.2026 18:15 2 articles · 1d ago

    PDFSIDER Malware Identified with Advanced Persistent Threat Capabilities

    Researchers have identified a new malware strain, PDFSIDER, designed for long-term, covert access to compromised systems. Delivered via DLL side-loading, it installs an encrypted backdoor and evades endpoint detection mechanisms. The malware exhibits advanced capabilities, including stealthy execution, secure communications, and anti-analysis checks, aligning it with APT operations. The infection chain begins with spear-phishing emails containing a ZIP archive with a legitimate, digitally signed executable that impersonates PDF creation software. Once active, PDFSIDER initializes networking components, gathers host details, and establishes an encrypted command-and-control (C2) channel using AES-256-GCM encryption. The malware includes anti-VM checks to detect analysis environments and exits early if thresholds are not met. It also employs DNS traffic on port 53 for data exfiltration to a leased VPS infrastructure. Resecurity assessed PDFSIDER as a targeted tradecraft rather than a mass-delivered threat, with most artifacts evading popular AV and EDR products. PDFSIDER has been deployed in Qilin ransomware attacks and is actively used by multiple ransomware actors. The malware loads into memory, leaving minimal disk artifacts, and uses anonymous pipes to launch commands via CMD. Infected hosts are assigned a unique identifier, and system information is exfiltrated to the attacker’s VPS server over DNS (port 53). The malware uses the Botan 3.0.0 cryptographic library and AES-256-GCM for encryption, decrypting incoming data in memory to minimize its footprint on the host.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies. Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script." The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components: a legitimate open-source PDF reader application, a malicious DLL that's sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter, and a RAR file that likely serves as a decoy. The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL side-loading has become an increasingly common technique adopted by threat actors to evade detection and conceal signs of malicious activity by taking advantage of legitimate processes. Over the past week, at least three documented campaigns have leveraged DLL side-loading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity trojans and information stealers. In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone and that alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. ReliaQuest told The Hacker News that the campaign appears to be broad and opportunistic, with activity spanning various sectors and regions. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added. "This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems," the cybersecurity company said. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data." This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors, including those linked to the CryptoCore and Contagious Interview campaigns, have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts. "Social media platforms commonly used by businesses represent a gap in most organizations' security posture," ReliaQuest said. "Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns." "Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls."

Open in new tab

TA585 Using MonsterV2 in Phishing Campaigns

TA585, a sophisticated threat actor, has been actively delivering the MonsterV2 malware via phishing campaigns since February 2025. The group manages its own infrastructure and employs multiple delivery techniques, including IRS and SBA-themed lures, malicious JavaScript injections, and fake CAPTCHA verifications. MonsterV2, also known as Aurotun Stealer, is a versatile malware capable of stealing sensitive data, acting as a clipper, establishing remote control, and executing commands from a C2 server. The malware is sold by a Russian-speaking actor and is typically packed using a C++ crypter called SonicCrypt to evade detection. TA585's campaigns have also included GitHub-themed lures and the distribution of other malware, such as Rhadamanthys. MonsterV2 avoids infecting systems in Commonwealth of Independent States (CIS) countries.

Open in new tab

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.

Open in new tab

SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations

A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious JavaScript payload disguised as a legitimate browser update, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.

Open in new tab