PDFSider: Anatomy of a Fake Update Malware Campaign Delivering Remote Control to Attackers

Aegiron 9 mins0

PDFSider Malware Incident Overview

Date Identified: January 20, 2026
Threat Level: High (APT-grade, targeted)

Executive Summary

In mid-January 2026, security researchers uncovered a highly targeted malware campaign now referred to as PDFSider. The malware was designed to compromise systems within the finance sector by impersonating a legitimate software update for PDF24 Creator, a commonly used PDF creation and management tool.

The attack relied on social engineering rather than software vulnerabilities, allowing it to bypass many traditional defenses. Once executed, the malware provided attackers with remote code execution and persistent access, enabling data theft, credential harvesting, and further malware deployment.

This was not a widespread opportunistic campaign. Indicators point to deliberate targeting, careful preparation, and post-compromise activity aligned with long-term access rather than immediate destruction.

What Happened

Victims were tricked into installing what appeared to be a legitimate update for PDF24 Creator. The installer looked authentic, used convincing filenames, and mimicked normal update behavior. Once launched, it silently executed malicious code in the background.

The attackers gained full remote control over affected machines and selectively deployed additional tools depending on the value of the compromised system. Financial institutions, accounting departments, and employees with access to sensitive financial systems were the primary targets.

How the Attack Happened

Initial Infection Vector

The initial access was achieved through fake software updates. These were delivered via:

  • Phishing emails claiming a critical PDF24 update was required
  • Download links hosted on look-alike domains
  • In some cases, poisoned search results leading to malicious installers

The attacker did not exploit a vulnerability in PDF24 Creator itself. Instead, they exploited user trust.

Once the installer was executed, the malware ran with the same permissions as the user. On systems where users had local admin rights, the malware gained elevated access immediately.

Malware Behavior and Execution Flow

Stage 1: Loader Execution

  • The fake installer launches a dropper component
  • A decoy installation window may appear to reduce suspicion
  • Malicious files are written to disk, typically under:
    • %AppData%
    • %ProgramData%
    • %LocalAppData%

Stage 2: Payload Deployment

After execution, the malware:

  • Establishes persistence via:
    • Registry Run keys
    • Scheduled tasks disguised as update services
  • Decrypts and loads the main payload into memory
  • Avoids dropping obvious malicious binaries where possible

Stage 3: Command-and-Control (C2)

  • Initiates outbound HTTPS connections to attacker-controlled infrastructure
  • Traffic is encrypted and mimics legitimate application traffic
  • Beacons system details such as:
    • Hostname
    • Username
    • OS version
    • Installed security products

Stage 4: Post-Compromise Activity

Depending on the target:

  • Credential harvesting tools may be deployed
  • Browser data and stored passwords are extracted
  • Additional backdoors or tunneling tools are installed
  • Network discovery commands are executed to identify lateral movement paths

Payloads Used

The campaign did not rely on a single payload. Instead, it used modular components, including:

  • Remote Access Trojan (RAT) for interactive control
  • Credential dumpers targeting browser and Windows credential stores
  • Keylogging modules on selected hosts
  • Data exfiltration tools designed to compress and encrypt stolen files before transmission

Payloads were deployed selectively, indicating the attackers evaluated each compromised system before escalating.

Was Any Vulnerability Exploited?

No software vulnerability was exploited in this campaign.

The attack succeeded because of:

  • Trusted software impersonation
  • Lack of strict application update controls
  • Users running installers without verification

This makes the campaign particularly dangerous, as patching alone does not prevent it.

Persistence Mechanisms Observed

  • Registry autorun keys disguised as PDF services
  • Scheduled tasks with benign-sounding names
  • In some cases, DLL hijacking within user-writable directories

The malware was designed to survive reboots and remain dormant if no C2 connection was available.

Impacted Systems and Data

Impacted Environments

  • Financial institutions
  • Accounting firms
  • Corporate finance departments
  • Individual finance professionals

Potentially Compromised Data

  • Financial documents (PDFs, spreadsheets)
  • Authentication credentials
  • Internal emails
  • Client and transaction data
  • System and network topology information

There was no evidence of data destruction or ransomware deployment, suggesting espionage or fraud-related objectives rather than disruption.

Anti-Malware and Evasion Techniques

PDFSider employed multiple evasion techniques:

  • Delayed execution to bypass sandbox analysis
  • Encrypted payloads to evade static detection
  • Process injection into legitimate Windows processes
  • Avoidance of known virtualized environments

On systems with endpoint protection, detection often occurred only after outbound C2 activity, not at initial execution.

Indicators of Compromise (IOCs)

File Indicators

  • Executables named similar to:
    • PDF24_Update.exe
    • PDF24_Creator_Update_2026.exe
  • Unexpected DLLs in user profile directories
  • Unsigned binaries posing as update services

Registry Indicators

  • New Run keys referencing PDF update components
  • Scheduled tasks referencing non-standard PDF paths

Network Indicators

  • Outbound HTTPS traffic to unknown domains shortly after installer execution
  • Repeated beaconing at fixed intervals
  • TLS connections without standard browser fingerprints

Behavioral Indicators

  • PDF software attempting network connections outside normal update cycles
  • Command execution shortly after PDF installer runs
  • Credential access from non-browser processes

Why This Attack Matters

This incident highlights a growing shift toward trust-based attacks. Instead of breaking software, attackers are breaking assumptions:

  • Users assume updates are safe
  • Organizations assume signed-looking installers are legitimate
  • Security tools often trust common business software

PDFSider succeeded because it looked normal.

Final Takeaway

PDFSider represents a quiet, professional, and deliberate intrusion campaign. It avoided noise, avoided exploits, and relied on human behavior. The lack of immediate damage should not be mistaken for low severity. Systems compromised in this way can remain under attacker control for months.

Organizations affected by similar attacks may never realize the full extent of data exposure.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.