SideWinder's Shifting Sands: Click Once for Espionage

Free, Unbiased, and Open threat intelligence

SideWinder's Shifting Sands: Click Once for Espionage

threat Profile

HIGH

Description

Multi-wave espionage campaign by SideWinder APT group targeting governmental entities in South Asia (India, Pakistan, Bangladesh, Sri Lanka) from March to September 2025. The campaign employed novel PDF and ClickOnce-based infection chains alongside traditional Word exploit vectors to deploy ModuleInstaller and StealerBot malware. Threat actors used sophisticated evasion techniques including geofencing, polymorphism, dynamic URLs, and time-locked payload delivery. The campaign targeted diplomatic institutions and government officials with highly specific phishing lures themed around regional political events, religious ceremonies (Hajj), military appointments, and inter-ministerial meetings. Attackers leveraged legitimate MagTek Reader Configuration application for DLL sideloading, maintaining valid certificate chains to evade detection while delivering multi-stage malware payloads.

MITRE ATT&CK Techniques

T1566.001 T1204.002 T1547.001 T1053.005 T1134.001 T1087 T1574.001 T1140 T1027.008 T1027.009 T1027.013 T1027.016 T1218 T1082 T1016 T1518 T1518.001 T1083 T1012 T1652 T1005 T1119 T1560.002 T1071.001 T1573.002 T1105 T1090 T1041

Related Entities

Threat Actors

SideWinder, Rattlesnake

Malware

ModuleInstaller wdscore.dll App.dll StealerBot SystemApp.dll DEVOBJ.dll IPHelper.dll

CVEs

CVE-2017-0199

Indicators of Compromise (10)

c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6

DEVOBJ.dll - Sideloading DLL

mod-gov-bd.snagdrive.com

Fourth wave - Bangladesh Ministry of Defense

632d1e049e74e3cc34f01fa7d4b4e18e8679636eb58e38756b8ed0314a861a02

PDF - Vehicle details for VIP lounge at Hazrat Shahjalal International Airport.pdf

09b96a2426f8ddcc20aa58a72ad147d410525f1a4a42835b7ece126211537b3b

PDF - Promotion of officers in Grade I.pdf

38262ef59d32b3fb1b8c5a9e58d14c7bb347df89a28e3e9a1b8c355a3e0e31bf

App.dll - .NET loader

cadetcollege.adobeglobal.com

First wave - Bangladesh Cadet College reference

06da4a5755a81785f68caf75cca2b7a41c3aa9b4af24d2bb93964abf87343869

PDF - Induction of Weapons in CSD for Officers and JCOs.pdf

84ddd27b18b7401fd46149c60b0fff4ea0f01ba8668649dc246769784bc7a00d

PDF - APPOINTMENT AS COORDINATOR TO THE PRIME MINISTER ON RIGHT SIZING.pdf

adobe.pdf-downlod.com

Second wave - Fake Adobe Reader download

pmo-gov-pk.filenest.live

Pakistan Prime Minister Office C2

Metadata

Published

7 months ago

Views