APT-Grade PDFSIDER Backdoor Weaponizes PDF24, One of the World's Most Downloaded Free PDF Tools
Resecurity discovered a sophisticated Windows backdoor that uses the legitimate PDF24 desktop application as its delivery vehicle via DLL side-loading. The malware successfully breached a Fortune 100 company and has since been adopted by ransomware groups including Qilin.
VaultTools · March 25, 2026
Photo by Markus Spiske on Unsplash
Table of Contents
- What happened
- How the attack works
- Who is behind it and who is affected
- Why desktop PDF tools carry this risk structurally
- What users should do
- Sources
What Happened
On January 18, 2026, cybersecurity firm Resecurity published a detailed analysis of PDFSIDER, a previously undocumented Windows backdoor with APT-grade capabilities. The malware uses PDF24 Creator, one of the most popular free desktop PDF tools globally with tens of millions of installations, as its delivery vehicle.
Resecurity identified PDFSIDER during an incident response engagement at a Fortune 100 company. Attackers placed a malicious cryptbase.dll file in the same directory as PDF24.exe. When a user launched the application, Windows resolved the DLL lookup before reaching the legitimate system directory and loaded the attacker’s library instead. The real PDF24 application continued running normally, giving no visible indication of compromise.
How the Attack Works
DLL side-loading exploits Windows’ DLL search order. When an executable loads a library by name, Windows searches the application’s own directory before the protected system paths. An attacker who can write a file to the same folder as a trusted executable can hijack that application’s execution without modifying the executable itself.
PDFSIDER’s malicious cryptbase.dll establishes a memory-resident backdoor with these characteristics:
- AES-256-GCM encrypted communications with a remote command-and-control server
- Anti-virtual-machine checks that hinder sandbox analysis
- Persistent execution tied to the launch of PDF24.exe
Because the loader is a trusted application that millions of users open routinely, endpoint security tools relying on reputation scoring or application allowlists may not flag the activity.
Who Is Behind It and Who Is Affected
Resecurity attributed PDFSIDER to a sophisticated threat actor with techniques consistent with APT-level operations. Following the initial Fortune 100 disclosure, multiple ransomware groups including Qilin incorporated the backdoor into their own attack chains within days of the original publication. SecurityWeek confirmed the spread to additional groups shortly after.
PDF24 the application is not compromised. The attack requires an attacker to first obtain write access to a directory where PDF24 is installed, typically through an earlier intrusion or a targeted software supply chain step.
Why Desktop PDF Tools Carry This Risk Structurally
The PDFSIDER campaign highlights a risk that applies to any widely installed, trusted executable: the application becomes the delivery vector precisely because users and security tools trust it.
Desktop PDF tools are attractive targets for this reason. They are installed across large populations, run with user-level permissions, access sensitive documents, and are opened frequently. An attacker who places a malicious DLL alongside a popular PDF tool gains persistent, stealthy access every time that user processes a document.
Browser-based PDF tools compiled to WebAssembly have no installed binary footprint. There is no executable on disk for a malicious DLL to attach to, no writable application directory, and no process with an exploitable DLL search path. Processing runs inside the browser’s sandbox, and the only output is the resulting file in memory, downloaded directly to the user’s machine.
What Users Should Do
Users of PDF24 Creator and other desktop PDF tools should verify that no unexpected DLL files exist alongside application executables. On Windows, these steps reduce exposure:
- Keep antivirus signatures current; major vendors added PDFSIDER signatures following the Resecurity disclosure
- Use application installation directories that standard users cannot write to
- Enable Windows Defender Credential Guard to restrict cryptographic API abuse
For organizations evaluating PDF tooling, the PDFSIDER incident is a concrete data point in favor of browser-based alternatives that eliminate the installed-binary attack surface entirely.
Sources
- PDFSIDER Malware: Exploitation of DLL Side-Loading for AV and EDR Evasion (Resecurity, January 18, 2026)
- New PDFSider Windows Malware Deployed on Fortune 100 Firm’s Network (BleepingComputer, January 19, 2026)
- APT-Grade PDFSider Malware Used by Ransomware Groups (SecurityWeek)
- Hackers Exploiting PDF24 App to Deploy Stealthy PDFSIDER Backdoor (HackRead)
- PDFSider Anti-VM Checks Hidden in New Stealthy Malware (Infosecurity Magazine)