Campaigns
Stealthy PDFSider Campaign Weaponizes Legitimate PDF Tools to Bypass EDR Defenses

Stealthy PDFSider Campaign Weaponizes Legitimate PDF Tools to Bypass EDR Defenses

PDFSiderDLLSideLoadingEvasionTechniques
The PDFSider campaign targets Energy and Finance sectors using DLL side-loading to bypass AV and EDR defenses. By pairing legitimate PDF24 software with a malicious DLL in spear-phishing emails, attackers execute the malware in memory, establish encrypted C2 channels, and gain remote shell access. This technique is currently used by both APT groups and ransomware syndicates like Qilin.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1095 - Non-Application Layer Protocol


ID

Name

Analytic ID

Analytic Description

DET0457

Detection of Non-Application Layer Protocols for C2

AN1254

Anomalous use of ICMP or UDP by non-network service processes for data exfiltration or remote control, especially if traffic bypasses proxy infrastructure or shows unusual flow patterns.

AN1255

ICMP or raw socket traffic generated by user-mode processes like bash, Python, or nc, typically using ping, hping3, or crafted packets via libpcap or scapy.

AN1256

Unsigned binaries or interpreted scripts initiating non-standard protocols (ICMP, UDP, SOCKS) outside of baseline network behavior.

AN1257

VMCI (Virtual Machine Communication Interface) traffic between guest and host, or between VMs, originating from non-management tools or unauthorized binaries.

AN1258

Non-standard port/protocol pairings or low-entropy ICMP traffic resembling tunneling patterns (e.g., fixed-size pings with delays).


T1041 - Exfiltration Over C2 Channel


ID

Name

Analytic ID

Analytic Description

DET0348

Detection Strategy for Exfiltration Over C2 Channel

AN0988

Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.

AN0989

Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.

AN0990

Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.

AN0991

Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.


T1106 - Native API


ID

Name

Analytic ID

Analytic Description

DET0529

Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls

AN1465

Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.

AN1466

Userland processes invoking syscall-heavy libraries (libc, glibc) followed by fork, mmap, or ptrace behavior commonly associated with code injection or memory manipulation.

AN1467

Execution of processes that link to CoreServices or Foundation APIs followed by creation of memory regions, code execution, or abnormal library injection.


T1204 - User Execution


ID

Name

Analytic ID

Analytic Description

DET0478

User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)

AN1314

Cause→effect chain: (1) User-facing app (Office/PDF/archiver/browser) records an open/click or abnormal event, then (2) a downloaded file is created in a user-writable path and/or decompressed, (3) the parent user app spawns a living-off-the-land binary (e.g., powershell/cmd/mshta/rundll32/msiexec/wscript/expand/zip) or installer, and (4) immediate outbound HTTP(S)/DNS/SMB from the same lineage.

AN1315

Cause→effect chain: (1) User app/browser/archiver logs an open/click or abnormal exit, (2) new executable/script/archive extracted into $HOME/Downloads, /tmp, or ~/.cache, (3) parent app spawns shell/interpreter (bash/sh/python/node/curl/wget) or desktop file, and (4) new outbound connection(s) from the child lineage.

AN1316

Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child.

AN1317

Cause→effect chain in CI/dev desktops: (1) user triggers container run/pull after opening a doc/link/script, (2) newly created image/container uses unexpected external registry or entrypoint, (3) container starts and immediately egresses to suspicious destinations.

AN1318

Cause→effect chain in cloud consoles: (1) user clicks link then invokes instance/image creation via API, (2) instance/image originates from external AMI or unknown image, (3) instance immediately egresses or retrieves payloads.


T1497 - Virtualization/Sandbox Evasion


ID

Name

Analytic ID

Analytic Description

DET0046

Detection Strategy for T1497 Virtualization/Sandbox Evasion

AN0127

Execution of discovery commands or API calls for virtualization artifacts (e.g., registry keys, device drivers, services), sleep/skipped execution behavior, or sandbox evasion DLLs before payload deployment.

AN0128

Execution of commands to enumerate virtualization-related files or processes (e.g., '/sys/class/dmi/id/product_name', dmesg, lscpu, lspci), or querying hypervisor interfaces prior to malware execution.

AN0129

Execution of scripts or binaries that check for virtualization indicators (e.g., system_profiler, ioreg -l, kextstat), combined with delay functions or anomalous launchd activity.


T1059.003 - Windows Command Shell


ID

Name

Analytic ID

Analytic Description

DET0202

Behavioral Detection of Windows Command Shell Execution

AN0578

Detects interactive or scripted abuse of cmd.exe, batch files, or shell invocation chains. Focuses on parent-child relationships (e.g., cmd.exe launched from unusual parents), anomalous command-line parameters, and chaining with discovery, credential access, or lateral movement behaviors.


T1082 - System Information Discovery

ID

Name

Analytic ID

Analytic Description

DET0525

System Discovery via Native and Remote Utilities

AN1452

Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration.

AN1453

Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts.

AN1454

Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes.

AN1455

Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell.

AN1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

AN1457

Execution of show version, show hardware, or show system commands through CLI via SSH or console.

Observed Countries250

AD (169)
AE (758)
AF (529)
AG (483)
AI (293)
AL (604)
AM (312)
AO (362)
AQ (518)
AR (354)
AS (137)
AT (6)
AU (683)
AW (112)
AX (742)
AZ (170)
BA (984)
BB (519)
BD (155)
BE (249)
BF (230)
BG (853)
BH (164)
BI (322)
BJ (521)
BL (826)
BM (170)
BN (411)
BO (835)
BQ (487)
BR (582)
BS (29)
BT (61)
BV (416)
BW (719)
BY (151)
BZ (681)
CA (166)
CC (307)
CD (393)
CF (232)
CG (426)
CH (276)
CI (654)
CK (265)
CL (172)
CM (227)
CN (556)
CO (308)
CR (771)
CU (232)
CV (731)
CW (502)
CX (961)
CY (151)
CZ (679)
DE (315)
DJ (582)
DK (964)
DM (798)
DO (317)
DZ (45)
EC (920)
EE (849)
EG (360)
EH (119)
ER (245)
ES (618)
ET (30)
FI (879)
FJ (968)
FK (573)
FM (189)
FO (578)
FR (304)
GA (368)
GB (304)
GD (36)
GE (158)
GF (487)
GG (678)
GH (664)
GI (545)
GL (568)
GM (679)
GN (393)
GP (949)
GQ (401)
GR (917)
GS (561)
GT (250)
GU (961)
GW (315)
GY (846)
HK (839)
HM (23)
HN (859)
HR (723)
HT (101)
HU (123)
ID (102)
IE (574)
IL (863)
IM (361)
IN (510)
IO (483)
IQ (426)
IR (683)
IS (963)
IT (899)
JE (317)
JM (97)
JO (590)
JP (156)
KE (776)
KG (376)
KH (686)
KI (773)
KM (798)
KN (371)
KP (868)
KR (689)
KW (914)
KY (855)
KZ (317)
LA (703)
LB (170)
LC (139)
LI (193)
LK (158)
LR (691)
LS (252)
LT (33)
LU (490)
LV (384)
LY (863)
MA (272)
MC (241)
MD (792)
ME (930)
MF (154)
MG (549)
MH (553)
MK (2)
ML (648)
MM (640)
MN (50)
MO (231)
MP (126)
MQ (459)
MR (582)
MS (287)
MT (517)
MU (25)
MV (929)
MW (393)
MX (410)
MY (29)
MZ (558)
NA (179)
NC (290)
NE (274)
NF (673)
NG (811)
NI (878)
NL (400)
NO (959)
NP (521)
NR (189)
NU (493)
NZ (441)
OM (650)
PA (183)
PE (671)
PF (345)
PG (496)
PH (539)
PK (27)
PL (571)
PM (109)
PN (410)
PR (926)
PS (57)
PT (108)
PW (39)
PY (396)
QA (570)
RE (42)
RO (219)
RS (324)
RU (502)
RW (737)
SA (281)
SB (467)
SC (637)
SD (263)
SE (861)
SG (650)
SH (543)
SI (501)
SJ (200)
SK (462)
SL (491)
SM (530)
SN (649)
SO (699)
SR (602)
SS (390)
ST (356)
SV (550)
SX (343)
SY (344)
SZ (635)
TC (725)
TD (715)
TF (610)
TG (904)
TH (159)
TJ (63)
TK (31)
TL (919)
TM (32)
TN (116)
TO (992)
TR (938)
TT (190)
TV (549)
TW (314)
TZ (610)
UA (702)
UG (635)
UM (204)
US (36)
UY (577)
UZ (981)
VA (120)
VC (395)
VE (454)
VG (306)
VI (927)
VN (35)
VU (134)
WF (388)
WS (646)
XK (823)
YE (728)
YT (769)
ZA (290)
ZM (31)
ZW (109)