Oct 28, 2025Ravie LakshmananCyber Espionage / Malware
A European embassy positioned within the Indian capital of New Delhi, in addition to a number of organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged because the goal of a brand new marketing campaign orchestrated by a menace actor often known as SideWinder in September 2025.
The exercise “reveals a notable evolution in SideWinder’s TTPs, notably the adoption of a novel PDF and ClickOnce-based an infection chain, along with their beforehand documented Microsoft Phrase exploit vectors,” Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc stated in a report printed final week.
The assaults, which concerned sending spear-phishing emails in 4 waves from March via September 2025, are designed to drop malware households equivalent to ModuleInstaller and StealerBot to collect delicate info from compromised hosts.
Whereas ModuleInstaller serves as a downloader for next-stage payloads, together with StealerBot, the latter is a .NET implant that may launch a reverse shell, ship extra malware, and accumulate a variety of knowledge from compromised hosts, together with screenshots, keystrokes, passwords, and information.
It ought to be famous that each ModuleInstaller and StealerBot had been first publicly documented by Kaspersky in October 2024 as a part of assaults mounted by the hacking group focusing on high-profile entities and strategic infrastructures within the Center East and Africa.
As just lately as Might 2025, Acronis revealed SideWinder’s assaults geared toward authorities establishments in Sri Lanka, Bangladesh, and Pakistan utilizing malware-laden paperwork vulnerable to recognized Microsoft Workplace flaws to launch a multi-stage assault chain and in the end ship StealerBot.
The most recent set of assaults, noticed by Trellix submit September 1, 2025, and focusing on Indian embassies, entails using Microsoft Phrase and PDF paperwork in phishing emails with titles equivalent to “Inter-ministerial assembly Credentials.pdf” or “India-Pakistan Battle -Strategic and Tactical Evaluation of the Might 2025.docx.” The messages are despatched from the area “mod.gov.bd.pk-mail[.]org” in an try to mimic the Ministry of Protection of Pakistan.
“The preliminary an infection vector is at all times the identical: a PDF file that can’t be correctly seen by the sufferer or a Phrase doc that incorporates some exploit,” Trellix stated. “The PDF information comprise a button that urges the sufferer to obtain and set up the newest model of Adobe Reader to view the doc’s content material.”
Doing so, nevertheless, triggers the obtain of a ClickOnce utility from a distant server (“mofa-gov-bd.filenest[.]dwell”), which, when launched, sideloads a malicious DLL (“DEVOBJ.dll”), whereas concurrently launching a decoy PDF doc to the victims.
The ClickOnce utility is a professional executable from MagTek Inc. (“ReaderConfiguration.exe”) that masquerades as Adobe Reader and is signed with a sound signature to keep away from elevating any pink flags. Moreover, requests to the command-and-control (C2) server are region-locked to South Asia and the trail to obtain the payload is dynamically generated, complicating evaluation efforts.
The rogue DLL, for its half, is designed to decrypt and launch a .NET loader named ModuleInstaller, which then proceeds to profile the contaminated system and ship the StealerBot malware.
The findings point out an ongoing effort on the a part of the persistent menace actors to refine their modus operandi and circumvent safety defenses to perform their targets.
“The multi-wave phishing campaigns reveal the group’s adaptability in crafting extremely particular lures for varied diplomatic targets, indicating a classy understanding of geopolitical contexts,” Trellix stated. “The constant use of customized malware, equivalent to ModuleInstaller and StealerBot, coupled with the intelligent exploitation of professional functions for side-loading, underscores SideWinder’s dedication to classy evasion methods and espionage goals.”
