Vulnerabilities in Foxit & Apryse and the Rise of PDFSider Malware
The PDF ecosystem — long considered a safe productivity layer — is now a prime target for cyberattacks. Recent research from penetration testing startup Novee and threat intelligence firm Resecurity highlights two critical fronts: vendor-side vulnerabilities in popular PDF platforms and malware weaponization through advanced backdoors like PDFSider.
Vendor Vulnerabilities: Foxit & Apryse
- Discovery: Novee uncovered 16 security flaws across Apryse WebViewer and Foxit PDF cloud services.
- Severity Breakdown:
- Apryse: 1 critical, 2 high-severity.
- Foxit: 2 high-severity, 11 medium-severity.
- Attack Vectors: DOM XSS, SSRF, stored/reflected XSS, path traversal, OS command injection.
- Exploitation Potential:
- Account takeover via embedded PDF viewers in authenticated apps.
- Data exfiltration and manipulation of sensitive documents.
- Persistent compromise through payloads surviving page refreshes.
- Vendor Response: Both Foxit and Apryse patched promptly, emphasizing responsible disclosure and transparent remediation.
Malware Spotlight: PDFSider
- Threat Actor Tool: PDFSider, a newly identified malware family.
- Capabilities:
- Encrypted command-and-control (C2) using Botan cryptographic library.
- Hidden interactive shell for remote code execution (RCE).
- AV/EDR evasion and DLL sideloading for stealth.
- Delivery Method:
- Sideloaded via PDF24 Creator (legitimate app).
- Distributed in spear-phishing ZIP archives.
- Targets:
- Fortune 100 corporation (via QuickAssist + social engineering).
- Multiple ransomware groups leveraging it for payload delivery.
DLL Sideloading Trend in Cybercrime
- APT Mustang Panda:
- Used DLL sideloading in campaigns tied to US-Venezuela conflict.
- Delivered LotusElite backdoor via spear-phishing ZIPs.
- Commodity Malware Campaigns:
- Abused Ahost.exe (C-ares library).
- Delivered AgentTesla, FormBook, Lumma Stealer, Vidar, CryptBot, Remcos, QuasarRAT, DCRat, XWorm.
- Localized filenames in multiple languages to broaden reach.
Defender Guidance
- Key Risks: PDF platforms are no longer low-risk utilities — they’re high-value attack surfaces.
- Detection Priorities:
- Monitor for abnormal DLL loads by trusted apps (PDF24 Creator, Ahost.exe).
- Detect suspicious child processes spawned by PDF viewers.
- Flag anomalous encrypted outbound traffic (Botan library usage).
- MITRE ATT&CK Mapping:
- T1059 (Command Execution)
- T1071 (Application Layer Protocol)
- T1574.002 (DLL Sideloading)
- T1027 (Obfuscated Files/Information)
Indicators of Compromise (IOCs)
| File Name | MD5 Hash | Status |
|---|---|---|
| About.dll | e0e674ec74d323e0588973aae901b5d2 | Clean |
| Cryptbase.dll | 298cbfc6a5f6fa041581233278af9394 | Malicious |
| Language.dll | 80e4a29270b828c1f97d9cde9475fcbd | Clean |
| NotifyIcon.dll | 96ff508f9be007062b1770691f489e62 | Clean |
| Pdf24.exe | a32dc85eee2e1a579199050cd1941e1d | Clean |
| Settings.dll | 9f9dd5a432b4dde2160c7a7170e0d069 | Clean |
C2 IPs:
- 45.76.9.248
Conclusion
The convergence of vendor vulnerabilities and malware weaponization in the PDF ecosystem underscores a critical reality: PDF platforms are now frontline targets in cyber warfare. Organizations must treat embedded PDF components as high-risk attack surfaces, implement robust detection engineering, and stay ahead of evolving threats like PDFSider.
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
