Today's cybersecurity headlines are brought to you by ThreatPerspective

New ClickOnce-Based Attack Chain Used by SideWinder Threat Actor Targets South Asian Diplomats

SideWinder, a notorious threat actor, has adopted a new ClickOnce-based attack chain to target high-ranking officials in South Asia. The campaign, which involved sending spear-phishing emails in four waves from March through September 2025, was designed to drop malware families such as ModuleInstaller and StealerBot onto compromised hosts. This latest campaign marks a notable evolution in the group's tactics, tactics, and procedures (TTPs), as it demonstrates a sophisticated understanding of geopolitical contexts and the ability to adapt to new environments.

The threat landscape has taken another turn for the worse, as a new campaign orchestrated by the notorious threat actor known as SideWinder has emerged, targeting high-ranking officials in South Asia. According to recent findings published by Trellix researchers, this latest campaign marks a notable evolution in the group's tactics, tactics, and procedures (TTPs), as it adopts a novel PDF and ClickOnce-based infection chain.

The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, were designed to drop malware families such as ModuleInstaller and StealerBot onto compromised hosts. These malicious tools are known for their ability to gather sensitive information from infected systems, including screenshots, keystrokes, passwords, and files.

ModuleInstaller serves as a downloader for next-stage payloads, including the .NET implant StealerBot. This latter malware is capable of launching a reverse shell, delivering additional malicious software, and collecting data from compromised hosts. Both ModuleInstaller and StealerBot were first publicly documented by Kaspersky in October 2024, as part of attacks mounted by SideWinder against high-profile entities and strategic infrastructures in the Middle East and Africa.

However, it was only recently that Acronis revealed SideWinder's attacks aimed at government institutions in Sri Lanka, Bangladesh, and Pakistan using malware-laden documents susceptible to known Microsoft Office flaws to launch a multi-stage attack chain and ultimately deliver StealerBot. The latest set of attacks, observed by Trellix post September 1, 2025, and targeting Indian embassies, entails the use of Microsoft Word and PDF documents in phishing emails with titles such as "Inter-ministerial meeting Credentials.pdf" or "India-Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx." The messages are sent from the domain "mod.gov.bd.pk-mail[.]org" in an attempt to mimic the Ministry of Defense of Pakistan.

According to Trellix, the initial infection vector is always the same: a PDF file that cannot be properly seen by the victim or a Word document that contains some exploit. The PDF files contain a button that urges the victim to download and install the latest version of Adobe Reader to view the document's content. When this is done, however, it triggers the download of a ClickOnce application from a remote server ("mofa-gov-bd.filenest[.]live"), which, when launched, sideloads a malicious DLL ("DEVOBJ.dll"), while simultaneously launching a decoy PDF document to the victims.

The ClickOnce application is a legitimate executable from MagTek Inc. ("ReaderConfiguration.exe") that masquerades as Adobe Reader and is signed with a valid signature to avoid raising any red flags. Furthermore, requests to the command-and-control (C2) server are region-locked to South Asia and the path to download the payload is dynamically generated, complicating analysis efforts.

Trellix noted that "the multi-wave phishing campaigns demonstrate the group's adaptability in crafting highly specific lures for various diplomatic targets, indicating a sophisticated understanding of geopolitical contexts." They also pointed out that "the consistent use of custom malware, such as ModuleInstaller and StealerBot, coupled with the clever exploitation of legitimate applications for side-loading, underscores SideWinder's commitment to sophisticated evasion techniques and espionage objectives."

The findings suggest an ongoing effort on the part of persistent threat actors to refine their modus operandi and circumvent security defenses to accomplish their goals. The use of PDF files and ClickOnce-based infection chains marks a notable evolution in this group's tactics, as it demonstrates a sophisticated understanding of geopolitical contexts and the ability to adapt to new environments.

The campaign highlights the ongoing threat posed by SideWinder, a group known for its complex and tailored attacks against high-profile targets. The fact that the attack chain involves the use of legitimate applications and custom malware underscores the sophistication of this group's tactics and the need for security professionals to remain vigilant in the face of evolving threats.