A European embassy positioned within the Indian capital of New Delhi, in addition to a number of organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged because the goal of a brand new marketing campaign orchestrated by a menace actor often called SideWinder in September 2025.
The exercise “reveals a notable evolution in SideWinder’s TTPs, notably the adoption of a novel PDF and ClickOnce-based an infection chain, along with their beforehand documented Microsoft Phrase exploit vectors,” Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc mentioned in a report revealed final week.
The assaults, which concerned sending spear-phishing emails in 4 waves from March via September 2025, are designed to drop malware households comparable to ModuleInstaller and StealerBot to assemble delicate info from compromised hosts.
Whereas ModuleInstaller serves as a downloader for next-stage payloads, together with StealerBot, the latter is a .NET implant that may launch a reverse shell, ship extra malware, and acquire a variety of knowledge from compromised hosts, together with screenshots, keystrokes, passwords, and recordsdata.
It needs to be famous that each ModuleInstaller and StealerBot had been first publicly documented by Kaspersky in October 2024 as a part of assaults mounted by the hacking group focusing on high-profile entities and strategic infrastructures within the Center East and Africa.
As just lately as Might 2025, Acronis revealed SideWinder’s assaults aimed toward authorities establishments in Sri Lanka, Bangladesh, and Pakistan utilizing malware-laden paperwork inclined to recognized Microsoft Workplace flaws to launch a multi-stage assault chain and in the end ship StealerBot.
The most recent set of assaults, noticed by Trellix submit September 1, 2025, and focusing on Indian embassies, entails the usage of Microsoft Phrase and PDF paperwork in phishing emails with titles comparable to “Inter-ministerial assembly Credentials.pdf” or “India-Pakistan Battle -Strategic and Tactical Evaluation of the Might 2025.docx.” The messages are despatched from the area “mod.gov.bd.pk-mail[.]org” in an try to mimic the Ministry of Protection of Pakistan.
“The preliminary an infection vector is at all times the identical: a PDF file that can’t be correctly seen by the sufferer or a Phrase doc that comprises some exploit,” Trellix mentioned. “The PDF recordsdata comprise a button that urges the sufferer to obtain and set up the newest model of Adobe Reader to view the doc’s content material.”
Doing so, nevertheless, triggers the obtain of a ClickOnce software from a distant server (“mofa-gov-bd.filenest[.]stay”), which, when launched, sideloads a malicious DLL (“DEVOBJ.dll”), whereas concurrently launching a decoy PDF doc to the victims.
The ClickOnce software is a professional executable from MagTek Inc. (“ReaderConfiguration.exe”) that masquerades as Adobe Reader and is signed with a legitimate signature to keep away from elevating any crimson flags. Moreover, requests to the command-and-control (C2) server are region-locked to South Asia and the trail to obtain the payload is dynamically generated, complicating evaluation efforts.
The rogue DLL, for its half, is designed to decrypt and launch a .NET loader named ModuleInstaller, which then proceeds to profile the contaminated system and ship the StealerBot malware.
The findings point out an ongoing effort on the a part of the persistent menace actors to refine their modus operandi and circumvent safety defenses to perform their objectives.
“The multi-wave phishing campaigns reveal the group’s adaptability in crafting extremely particular lures for varied diplomatic targets, indicating a complicated understanding of geopolitical contexts,” Trellix mentioned. “The constant use of customized malware, comparable to ModuleInstaller and StealerBot, coupled with the intelligent exploitation of professional purposes for side-loading, underscores SideWinder’s dedication to classy evasion methods and espionage aims.”
