Tools / News / APT-Grade PDFSIDER Backdoor Weaponizes PDF24, One of the World's Most Downloaded Free PDF Tools
Press

APT-Grade PDFSIDER Backdoor Weaponizes PDF24, One of the World's Most Downloaded Free PDF Tools

· VaultTools

Resecurity discovered a sophisticated Windows backdoor that uses the legitimate PDF24 desktop application as its delivery vehicle via DLL side-loading. The malware successfully breached a Fortune 100 company and has since been adopted by ransomware groups including Qilin.

VaultTools · March 25, 2026

Green Matrix-style code streaming across a black screen, representing malware operating invisibly inside a trusted application. Photo by Markus Spiske on Unsplash

Table of Contents


What Happened

On January 18, 2026, cybersecurity firm Resecurity published a detailed analysis of PDFSIDER, a previously undocumented Windows backdoor with APT-grade capabilities. The malware uses PDF24 Creator, one of the most popular free desktop PDF tools globally with tens of millions of installations, as its delivery vehicle.

Resecurity identified PDFSIDER during an incident response engagement at a Fortune 100 company. Attackers placed a malicious cryptbase.dll file in the same directory as PDF24.exe. When a user launched the application, Windows resolved the DLL lookup before reaching the legitimate system directory and loaded the attacker’s library instead. The real PDF24 application continued running normally, giving no visible indication of compromise.

How the Attack Works

DLL side-loading exploits Windows’ DLL search order. When an executable loads a library by name, Windows searches the application’s own directory before the protected system paths. An attacker who can write a file to the same folder as a trusted executable can hijack that application’s execution without modifying the executable itself.

PDFSIDER’s malicious cryptbase.dll establishes a memory-resident backdoor with these characteristics:

  • AES-256-GCM encrypted communications with a remote command-and-control server
  • Anti-virtual-machine checks that hinder sandbox analysis
  • Persistent execution tied to the launch of PDF24.exe

Because the loader is a trusted application that millions of users open routinely, endpoint security tools relying on reputation scoring or application allowlists may not flag the activity.

Who Is Behind It and Who Is Affected

Resecurity attributed PDFSIDER to a sophisticated threat actor with techniques consistent with APT-level operations. Following the initial Fortune 100 disclosure, multiple ransomware groups including Qilin incorporated the backdoor into their own attack chains within days of the original publication. SecurityWeek confirmed the spread to additional groups shortly after.

PDF24 the application is not compromised. The attack requires an attacker to first obtain write access to a directory where PDF24 is installed, typically through an earlier intrusion or a targeted software supply chain step.

Why Desktop PDF Tools Carry This Risk Structurally

The PDFSIDER campaign highlights a risk that applies to any widely installed, trusted executable: the application becomes the delivery vector precisely because users and security tools trust it.

Desktop PDF tools are attractive targets for this reason. They are installed across large populations, run with user-level permissions, access sensitive documents, and are opened frequently. An attacker who places a malicious DLL alongside a popular PDF tool gains persistent, stealthy access every time that user processes a document.

Browser-based PDF tools compiled to WebAssembly have no installed binary footprint. There is no executable on disk for a malicious DLL to attach to, no writable application directory, and no process with an exploitable DLL search path. Processing runs inside the browser’s sandbox, and the only output is the resulting file in memory, downloaded directly to the user’s machine.

What Users Should Do

Users of PDF24 Creator and other desktop PDF tools should verify that no unexpected DLL files exist alongside application executables. On Windows, these steps reduce exposure:

  • Keep antivirus signatures current; major vendors added PDFSIDER signatures following the Resecurity disclosure
  • Use application installation directories that standard users cannot write to
  • Enable Windows Defender Credential Guard to restrict cryptographic API abuse

For organizations evaluating PDF tooling, the PDFSIDER incident is a concrete data point in favor of browser-based alternatives that eliminate the installed-binary attack surface entirely.


Sources