Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats

The Hacker News by The Hacker News
October 28, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Oct 28, 2025Ravie LakshmananCyber Espionage / Malware

A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025.

The activity “reveals a notable evolution in SideWinder’s TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors,” Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week.

The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts.

While ModuleInstaller serves as a downloader for next-stage payloads, including StealerBot, the latter is a .NET implant that can launch a reverse shell, deliver additional malware, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files.

DFIR Retainer Services

It should be noted that both ModuleInstaller and StealerBot were first publicly documented by Kaspersky in October 2024 as part of attacks mounted by the hacking group targeting high-profile entities and strategic infrastructures in the Middle East and Africa.

As recently as May 2025, Acronis revealed SideWinder’s attacks aimed at government institutions in Sri Lanka, Bangladesh, and Pakistan using malware-laden documents susceptible to known Microsoft Office flaws to launch a multi-stage attack chain and ultimately deliver StealerBot.

The latest set of attacks, observed by Trellix post September 1, 2025, and targeting Indian embassies, entails the use of Microsoft Word and PDF documents in phishing emails with titles such as “Inter-ministerial meeting Credentials.pdf” or “India-Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx.” The messages are sent from the domain “mod.gov.bd.pk-mail[.]org” in an attempt to mimic the Ministry of Defense of Pakistan.

“The initial infection vector is always the same: a PDF file that cannot be properly seen by the victim or a Word document that contains some exploit,” Trellix said. “The PDF files contain a button that urges the victim to download and install the latest version of Adobe Reader to view the document’s content.”

Doing so, however, triggers the download of a ClickOnce application from a remote server (“mofa-gov-bd.filenest[.]live”), which, when launched, sideloads a malicious DLL (“DEVOBJ.dll”), while simultaneously launching a decoy PDF document to the victims.

The ClickOnce application is a legitimate executable from MagTek Inc. (“ReaderConfiguration.exe”) that masquerades as Adobe Reader and is signed with a valid signature to avoid raising any red flags. Furthermore, requests to the command-and-control (C2) server are region-locked to South Asia and the path to download the payload is dynamically generated, complicating analysis efforts.

CIS Build Kits

The rogue DLL, for its part, is designed to decrypt and launch a .NET loader named ModuleInstaller, which then proceeds to profile the infected system and deliver the StealerBot malware.

The findings indicate an ongoing effort on the part of the persistent threat actors to refine their modus operandi and circumvent security defenses to accomplish their goals.

“The multi-wave phishing campaigns demonstrate the group’s adaptability in crafting highly specific lures for various diplomatic targets, indicating a sophisticated understanding of geopolitical contexts,” Trellix said. “The consistent use of custom malware, such as ModuleInstaller and StealerBot, coupled with the clever exploitation of legitimate applications for side-loading, underscores SideWinder’s commitment to sophisticated evasion techniques and espionage objectives.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Two-thirds of surveyed enterprises in EMEA report significant productivity gains from AI, finds new IBM study

Two-thirds of surveyed enterprises in EMEA report significant productivity gains from AI, finds new IBM study

Recommended.

Stocks making the biggest moves after hours: ServiceNow, IBM, Chipotle Mexican Grill and more

Stocks making the biggest moves after hours: ServiceNow, IBM, Chipotle Mexican Grill and more

July 23, 2025
Akuvox X910 Claims Red Dot Award 2026: the World’s First AI-powered Parcel Detection Smart Intercom Revolutionizes Luxury Home Access

Akuvox X910 Claims Red Dot Award 2026: the World’s First AI-powered Parcel Detection Smart Intercom Revolutionizes Luxury Home Access

April 17, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio