Content
A new cyber espionage campaign has recently come to light, targeting diplomatic and governmental organizations across South Asia. The threat actor, known as SideWinder, launched this operation in September 2025, focusing on entities like a European embassy in New Delhi, India, and various institutions in Sri Lanka, Pakistan, and Bangladesh. This campaign marks an evolution in SideWinder’s tactics, techniques, and procedures (TTPs), particularly with the introduction of a novel infection chain leveraging PDF files and ClickOnce applications, supplementing their earlier use of Microsoft Word exploits.
Researchers from Trellix, Ernesto Fernández Provecho and Pham Duy Phuc, detailed how the attackers employed spear-phishing emails over four waves between March and September 2025. These emails contained malicious attachments disguised as official documents, with titles such as "Inter-ministerial meeting Credentials.pdf" or "India-Pakistan Conflict - Strategic and Tactical Analysis of May 2025.docx." The emails originated from a domain crafted to mimic the Pakistan Ministry of Defense, enhancing the deception.
The initial infection vector in these attacks involves sending malicious PDF or Word files. The PDF files include a button urging recipients to download and install the latest Adobe Reader version, but clicking this triggers a ClickOnce application download from a remote server. This application, "ReaderConfiguration.exe," is a legitimate executable from MagTek Inc., signed with a valid digital signature, making it appear trustworthy. When launched, it sideloads a malicious DLL named "DEVOBJ.dll," which in turn decrypts and runs a .NET loader called ModuleInstaller.
ModuleInstaller plays a crucial role in profiling the infected system and downloading further malicious payloads, including StealerBot. StealerBot is an advanced .NET implant capable of launching reverse shells, delivering additional malware, and collecting sensitive data like screenshots, keystrokes, passwords, and files. Both ModuleInstaller and StealerBot were first identified publicly by Kaspersky in October 2024, linked to SideWinder’s previous attacks targeting strategic infrastructures in the Middle East and Africa.
Earlier attacks, reported by Acronis in May 2025, also targeted government institutions in Sri Lanka, Bangladesh, and Pakistan using malicious Microsoft Office documents to deliver StealerBot. The latest campaign adds sophistication by using a combination of PDF and Word documents, phishing emails crafted with geopolitical context, and the exploitation of legitimate software for side-loading malware. Notably, the command-and-control servers restrict access to South Asia and generate dynamic download paths, complicating investigation efforts.
The campaign reflects SideWinder’s persistent efforts to refine their methods and evade detection. Their multi-wave phishing strategy demonstrates a deep understanding of the diplomatic landscape, crafting highly specific lures to maximize success. Leveraging custom malware and legitimate signed applications for payload delivery underscores their focus on evasion and long-term espionage goals. Trellix’s findings highlight the ongoing threat posed by this group to diplomatic and governmental bodies in a geopolitically sensitive region.
