While the name sounds like a piece of malware, PPSideLoader is actually a —a specific method of sideloading malicious code using Microsoft PowerPoint files ( .pps or .ppsx ).

PPSideLoader takes this concept and applies it specifically to PowerPoint. Attackers package a malicious DLL alongside a legitimate PowerPoint executable (or related component). When PowerPoint runs a slideshow, it looks for specific supporting files. If an attacker has placed a poisoned DLL in the same directory, PowerPoint will load it—granting the attacker code execution on the victim’s machine. Unlike macro-based attacks (which require the user to enable scripts), PPSideLoader relies on file system behavior and search order hijacking.

As macro-based attacks decline, sideloading techniques like PPSideLoader will become the new normal. Defenders must shift from trusting file extensions and signatures to monitoring —because even a trusted app like PowerPoint can become a backdoor when loaded the wrong way.