28.10.2025
2 min
582
The SideWinder hacking group has launched a new wave of targeted phishing attacks on diplomatic missions in India, Sri Lanka, Pakistan, and Bangladesh, using PDF files and ClickOnce applications to deliver the StealerBot and ModuleInstaller malware. This campaign demonstrates a significant evolution in their methods and indicates the increasing sophistication of state-sponsored cyber espionage in the region.
Trellix experts have recorded four waves of phishing emails between March and September 2025. The emails, purporting to be from the Pakistani Ministry of Defense, contained files with names such as *“Inter-ministerial meeting Credentials.pdf”* or *“India-Pakistan Conflict – Strategic and Tactical Analysis of the May 2025.docx”*.
The main goal is to infect the computers of diplomats and government employees in South Asia.
When opening the PDF, the victim was prompted to “update Adobe Reader.” This action downloaded a ClickOnce application from a remote server, mofa-gov-bd.filenest[.]live, which contained a legitimate file, ReaderConfiguration.exe (signed by MagTek Inc.), but with a malicious DLL, DEVOBJ.dll, loaded. Once launched, the system was infected via ModuleInstaller, which loaded the main StealerBot spyware module.
StealerBot is a .NET sample that:
creates a reverse shell,
steals passwords, files, screenshots, and keystrokes,
downloads additional payloads for deeper penetration.
Requests to the C2 command center are regionally restricted to South Asia, and the download path is dynamically generated, making analysis and detection difficult. This is evidence that SideWinder is actively improving its tools, moving from old Word exploits to more sophisticated infection chains. SideWinder is a well-known espionage actor that has been operating since at least 2012, targeting government, military, and diplomatic structures in Asia.
In 2024, already recorded similar attacks by this group against facilities in the Middle East and Africa.
In May 2025, Acronis also reported SideWinder attacks against government institutions in Sri Lanka, Bangladesh, and Pakistan using Microsoft Office vulnerabilities.
Now, the group is implementing a new approach with legal software, digital signatures, and PDF files — increasing the level of stealth of its operations. The SideWinder campaign demonstrates the transition of espionage operations to the level of state-engineered attacks: the use of legitimate components, regional C2 restrictions, and multi-stage downloaders. To protect, organizations should implement digital signature control, behavioral anomaly analytics, and email system segmentation, especially in diplomatic structures.
