PDFSider Malware Abuses DLL Side-Loading to Evade Antivirus and EDR Defenses

By Ash K
PDFSider Malware Abuses DLL Side-Loading to Evade Antivirus and EDR Defenses

A newly documented malware campaign involving a strain known as PDFSider highlights how threat actors continue to rely on trusted application abuse to bypass modern security defenses. The malware leverages DLL side-loading techniques to evade antivirus and endpoint detection and response systems, reinforcing a growing pattern seen across both financially motivated and espionage-focused operations.

Researchers analyzing the campaign observed that PDFSider does not depend on zero-day exploits or complex exploit chains. Instead, it abuses legitimate executables and predictable Windows loading behavior, allowing malicious code to run under the guise of trusted software. This approach remains highly effective against environments that prioritize signature-based detection.

What Is PDFSider Malware

PDFSider is a malware loader designed to deliver secondary payloads while maintaining a low detection profile. It is typically distributed through malicious email attachments or compressed archives that appear to contain harmless PDF-related content. Once executed, the malware initiates a staged infection process aimed at persistence and stealth rather than immediate disruption.

The malware’s primary objective is to establish execution while blending into normal system activity. Its design reflects a broader shift toward modular malware frameworks that can be easily adapted for different campaigns and payloads.

DLL Side-Loading as the Core Evasion Technique

DLL side-loading attack flow used by PDFSider malware

Image credit: Resecurity

At the center of the PDFSider infection chain is DLL side-loading, a technique that exploits how Windows applications search for required dynamic link libraries. By placing a malicious DLL in the same directory as a legitimate executable, attackers ensure their code is loaded first when the application starts.

In this campaign, attackers bundle a trusted executable alongside a malicious DLL that shares the same name as a legitimate dependency. Because the executable is digitally signed and widely trusted, it is far less likely to be blocked or scrutinized by security tools.

Abuse of Legitimate Executables

Legitimate application abuse in PDFSider malware execution

Image credit: Resecurity

The campaign demonstrates how attackers continue to weaponize legitimate software to bypass trust-based security models. By hijacking well-known applications, PDFSider avoids raising suspicion during execution and benefits from inherited trust at both the operating system and security solution level.

This tactic is particularly effective in enterprise environments where application whitelisting and reputation-based controls are common. Once execution is achieved, the malware proceeds to decrypt and load its next-stage components directly into memory.

Multi-Stage Payload Delivery

PDFSider follows a staged execution model in which the initial loader focuses solely on establishing a foothold. Subsequent payloads are retrieved or decrypted at runtime, allowing attackers to modify capabilities without altering the original dropper.

This modular approach complicates analysis and detection. Security products that focus only on static analysis of the initial file may fail to observe the full malicious behavior until later stages are already active.

Evasion of Antivirus and EDR Solutions

One of the most concerning aspects of the PDFSider campaign is its ability to bypass both traditional antivirus engines and more advanced endpoint detection platforms. By executing within the context of trusted processes, the malware minimizes anomalous behavior that would normally trigger alerts.

Researchers noted that PDFSider avoids noisy actions such as spawning suspicious child processes or writing obvious artifacts to disk. Instead, it relies on in-memory execution and indirect system calls, reducing its forensic footprint.

Infrastructure and Command Execution

Once fully deployed, PDFSider establishes communication with attacker-controlled infrastructure to receive commands and deliver additional payloads. Traffic is designed to resemble legitimate network activity, further complicating detection by perimeter defenses.

The malware supports basic command execution, payload retrieval, and system profiling, providing attackers with flexibility to adapt operations based on the target environment.

Why PDFSider Reflects a Broader Trend

The PDFSider campaign reinforces a reality that defenders have observed repeatedly in recent years. Attackers do not need sophisticated exploits to compromise systems. Well-understood Windows behaviors, combined with social engineering and trusted binaries, are often enough.

DLL side-loading continues to be attractive because it exploits default system behavior rather than software flaws. As long as applications load dependencies from their working directories, this technique will remain viable across many environments.

For defenders, this underscores the importance of behavioral monitoring, module load auditing, and contextual process analysis. Without visibility into how and why code is executed, even advanced security stacks may fail to detect malware designed to look legitimate.

How PDFSider Emerged in a Real-World Intrusion Attempt

Resecurity first identified PDFSider while investigating a targeted intrusion attempt against a Fortune 100 organization. The incident did not rely on software vulnerabilities or exploit chains. Instead, the attacker attempted to gain access through direct interaction with employees, posing as technical support and leveraging social engineering to persuade staff to grant remote access.

The operation made use of Windows Quick Assist, a legitimate remote support feature, as part of the initial access attempt. While the intrusion was ultimately blocked, forensic analysis of the tooling and delivery artifacts led researchers to uncover PDFSider as a loader designed to operate once execution was achieved through trusted mechanisms.

A Loader Favored by Ransomware Operators

Analysis of the malware indicates that PDFSider is not confined to a single campaign or threat actor. According to Resecurity’s researchers, the loader is already being used by multiple ransomware groups as a delivery mechanism for follow-on payloads.

Rather than deploying ransomware directly, operators use PDFSider to establish execution within the target environment first. This staged approach allows attackers to assess defenses, deploy tooling selectively, and reduce the likelihood of early detection before committing to disruptive actions.

DLL Side-Loading as a Preferred Initial Access Method

The broader activity surrounding PDFSider reflects a sustained shift away from exploit-based intrusions toward techniques that abuse default system behavior. DLL side-loading, in particular, continues to offer attackers a reliable way to bypass both antivirus and endpoint detection platforms by operating within the execution flow of trusted software.

Resecurity’s findings align with a wider pattern observed across recent campaigns. Advanced actors increasingly favor spear-phishing and social engineering combined with dependable execution methods, rather than risking unstable exploits that may fail or trigger security controls.

Links to Recent High-Profile Campaigns

Similar tradecraft has been observed in other recent operations. In one campaign analyzed by Acronis, attackers targeting U.S. government entities used DLL side-loading as part of a malware delivery chain associated with LOTUSLITE. The campaign relied on geopolitical themes involving the United States and Venezuela to add credibility to phishing lures.

Infrastructure patterns and execution techniques from that activity showed moderate-confidence overlap with tooling and behaviors previously attributed to Mustang Panda, including separation between loaders and malicious libraries, as well as shared infrastructure characteristics.

Commodity Malware Distributed Through the Same Technique

DLL side-loading is not limited to targeted espionage or ransomware operations. In a separate campaign documented by Trellix, attackers exploited a vulnerability in a legitimate binary linked to the open-source c-ares library to distribute a wide range of commodity malware.

Payloads delivered through this method included common stealers, remote access trojans, and loaders such as Agent Tesla, CryptBot, Formbook, Lumma, Vidar, Remcos, Quasar RAT, DCRat, and XWorm. The campaign demonstrated how a single trusted binary can be abused at scale to bypass security controls and deliver diverse malware families.

Source: Resecurity Research Blog

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.