A persistent threat actor known as SideWinder launched a new sophisticated campaign in September 2025, targeting a European embassy in New Delhi, India, alongside numerous organizations in Sri Lanka, Pakistan, and Bangladesh.
Evolving Tactics and New Vectors
Trellix researchers report a notable evolution in SideWinder's tactics, techniques, and procedures (TTPs). While the group is known for using Microsoft Word exploit vectors, this latest activity introduces a novel PDF and ClickOnce-based infection chain.
The multi-wave attacks, which span from March through September 2025, rely on highly specific spear phishing emails. These emails are designed to drop custom malware families like ModuleInstaller and StealerBot to steal sensitive information from compromised hosts.
Infection Chain and Impersonation
The latest wave of phishing emails, targeting the Indian embassy, used lures like "Inter-ministerial meeting Credentials.pdf" and "India-Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx." The messages were sent from a domain designed to mimic the Ministry of Defense of Pakistan, "mod.gov.bd.pk-mail[.]org."
The initial infection vector remains consistent: a PDF file that cannot be viewed correctly or a Word document containing an exploit. The malicious PDF files contain a button urging the victim to download and install the latest version of Adobe Reader to view the content.
This action triggers the download of a ClickOnce application from a remote server. When launched, this application, which is a legitimate executable from MagTek Inc. disguised as Adobe Reader, performs a DLL side loading attack by launching a malicious DLL named DEVOBJ.dll. Simultaneously, a decoy PDF document is displayed to the victim to maintain the illusion of legitimacy.
Custom Spyware Deployment
The rogue DLL is responsible for decrypting and launching ModuleInstaller, a .NET loader that profiles the infected system and delivers the final payload, StealerBot.
StealerBot is a powerful .NET implant capable of launching a reverse shell, delivering additional malware, and collecting a wide range of data, including:
- Screenshots
- Keystrokes
- Passwords
- Files
The findings confirm the persistent threat actor's ongoing commitment to refining their methods and using clever exploitation of legitimate applications to bypass security defenses and achieve their espionage objectives.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
