The SideWinder superior persistent menace group has emerged with a classy new assault methodology that leverages ClickOnce functions to deploy StealerBot malware towards diplomatic and governmental targets throughout South Asia.
In September 2025, safety researchers detected a focused marketing campaign affecting establishments in Sri Lanka, Pakistan, Bangladesh, and diplomatic missions primarily based in India.
The assaults signify a notable evolution within the menace actor’s tradecraft, shifting past conventional Microsoft Phrase-based exploits to embrace a extra advanced PDF and ClickOnce an infection chain designed to bypass fashionable safety controls.
The marketing campaign unfolded via a number of waves of spear-phishing emails, every rigorously crafted with region-specific themes to govern victims into executing malicious payloads.
Assault lures included paperwork titled “Inter-ministerial assembly Credentials.pdf” and “Relieving order New Delhi.pdf,” which prompted targets to obtain what gave the impression to be an up to date model of Adobe Reader.
When victims clicked the embedded button, they unknowingly initiated a ClickOnce utility obtain from attacker-controlled infrastructure.
These functions bore legitimate digital signatures from MagTek Inc., not via certificates theft however through DLL side-loading of reliable MagTek binaries—a way that allowed the malware to bypass Home windows safety warnings and execute with out elevating fast suspicion.
Trellix analysts recognized the malware’s subtle evasion mechanisms after detecting the fourth wave of assaults via their SecondSight looking capabilities on Trellix E mail Safety.
The researchers famous that SideWinder carried out superior operational safety measures together with geofencing, which restricted payload supply to IP addresses originating from focused areas.
This geographic restriction prevented safety researchers exterior South Asia from accessing reside malware samples, considerably complicating evaluation efforts.
Moreover, the menace actors employed dynamically generated URLs with random numeric parts and time-limited payload availability, guaranteeing that malicious parts remained accessible solely throughout slim home windows instantly following preliminary compromise.
The technical sophistication extends to the malware’s persistence and execution mechanisms.
As soon as the ClickOnce utility executes, it drops DEVOBJ.dll alongside an encrypted payload file with randomized extensions comparable to .ns5 or .1ym.
The DLL performs XOR decryption utilizing the primary 42 bytes of the encrypted file as the important thing, revealing a .NET loader (App.dll) that downloads ModuleInstaller from the command-and-control server.
ModuleInstaller then profiles the compromised system and retrieves configuration recordsdata, together with TapiUnattend.exe—a reliable Home windows binary—and wdscore.dll, which side-loads to execute the final-stage StealerBot malware.
The malware demonstrates adaptive conduct by detecting put in antivirus merchandise and adjusting its execution path accordingly, utilizing mshta.exe for Avast or AVG detections and pcalua.exe when Kaspersky is current.
ClickOnce Utility Construction and DLL Facet-Loading
The an infection chain’s core energy lies in its abuse of ClickOnce’s trusted utility deployment framework.
SideWinder weaponized reliable MagTek Reader Configuration utility (model 1.5.13.2) by preserving its structural integrity whereas changing important parts.
SideWinder’s PDF model execution chain (Supply – Trellix)
The attackers substituted the genuine MagTek public key token (7ee65bc326f1c13a) with null values (0000000000000000) within the manifest, sustaining legitimate certificates chains to evade detection.
The applying’s branding was modified from MagTek to “Adobe Compatibility Suite,” full with an Adobe Reader icon substitute, completely aligning with the phishing lure’s premise.
The payload supply mechanism substituted reliable JSON configuration recordsdata (DeviceImages.json and EmvVendorConfig.json) with malicious DEVOBJ.dll (SHA256: c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6).
This DLL serves because the side-loading vector for subsequent phases. The manifest included useLegacyV2RuntimeActivationPolicy=”true” to allow compatibility with older .NET Framework variations, facilitating execution of legacy malware parts.
After execution, a decoy PDF doc shows to victims, sustaining the phantasm of reliable doc processing whereas malware establishes persistence and begins information exfiltration operations within the background.
The StealerBot malware represents the marketing campaign’s final goal, designed for complete espionage operations.
Whereas researchers efficiently recognized the core an infection chain parts, geofencing restrictions prevented the acquisition of extra plugin modules past IPHelper.dll, which manages proxy communications throughout the malware ecosystem.
The marketing campaign’s infrastructure—spanning domains like mofa-gov-bd[.]filenest[.]reside and mod-gov-bd[.]snagdrive[.]com—demonstrates deliberate impersonation of presidency ministries to reinforce social engineering effectiveness.
This mix of technical sophistication and operational safety displays an adversary dedicated to long-term espionage aims towards strategic regional targets.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
