The European embassy in India’s capital, New Delhi, and multiple organizations in Sri Lanka, Pakistan, and Bangladesh emerged as targets of a new campaign organized by the threat actor known as SideWinder in September 2025.
Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week that the activity “reveals significant evolution in SideWinder’s TTPs, particularly the adoption of new PDF and ClickOnce-based infection chains in addition to the previously documented Microsoft Word exploit vector.”
The attack consisted of four separate spear phishing emails sent between March and September 2025 designed to drop malware families such as ModuleInstaller and StealerBot to collect sensitive information from compromised hosts.
ModuleInstaller acts as a downloader for next-stage payloads such as StealerBot, a .NET implant that can launch a reverse shell, distribute additional malware, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files.
Note that ModuleInstaller and StealerBot were first publicly documented by Kaspersky in October 2024 as part of an attack by the hacker group targeting high-profile companies and strategic infrastructure in the Middle East and Africa.
Acronis disclosed SideWinder attacks targeting government agencies in Sri Lanka, Bangladesh, and Pakistan as of May 2025. The attack used a document containing malware that was susceptible to a known flaw in Microsoft Office to initiate a multi-stage attack chain that ultimately delivered StealerBot.
The latest series of attacks targeting Indian embassies, observed by Trellix on September 1, 2025, use Microsoft Word and PDF documents in phishing emails with titles such as “Interagency Meeting Credentials.pdf” and “India-Pakistan Conflict – Strategic and Tactical Analysis for May 2025.docx.” The message is sent from the domain “mod.gov.bd.pk-mail”.[.]org,” in an attempt to imitate Pakistan’s Ministry of Defense.
“The initial infection vector is always the same: a PDF file that the victim can’t properly view, or a Word document that contains some kind of exploit,” Trellix said. “The PDF file contains a button that prompts victims to download and install the latest version of Adobe Reader to view the document’s contents.”
However, doing this will trigger the download of the ClickOnce application from the remote server (‘mofa-gov-bd.filenest’).[.]When launched, “live”) sideloads a malicious DLL (“DEVOBJ.dll”) and simultaneously launches a decoy PDF document to the victim.
The ClickOnce application is a legitimate executable file (‘ReaderConfiguration.exe’) from MagTek Inc. that pretends to be Adobe Reader and is signed with a valid signature to avoid raising red flags. Additionally, requests to the command and control (C2) server are region-locked to South Asia, and the path to download the payload is dynamically generated, complicating analysis efforts.
The malicious DLL is designed to decrypt and launch a .NET loader named ModuleInstaller, which begins profiling the infected system and delivers the StealerBot malware.
The findings demonstrate continued efforts on the part of persistent attackers to refine their techniques and circumvent security defenses to achieve their goals.
“The multi-wave phishing campaign demonstrates the group’s adaptability in creating highly specialized lures for a variety of diplomatic objectives, and demonstrates a sophisticated understanding of the geopolitical context,” Trellix said. “The consistent use of custom malware such as ModuleInstaller and StealerBot, as well as the sophisticated exploitation of legitimate applications for sideloading, highlights SideWinder’s commitment to sophisticated evasion techniques and espionage objectives.”
Source link
