The SideWinder advanced persistent threat (APT) group has recently adopted a sophisticated attack strategy utilizing Microsoft’s ClickOnce deployment technology to disseminate StealerBot malware. This campaign, identified in September 2025, specifically targets diplomatic and governmental entities across South Asia, including institutions in Sri Lanka, Pakistan, Bangladesh, and diplomatic missions in India.
Evolution of Attack Techniques
Traditionally, SideWinder relied on exploiting vulnerabilities in Microsoft Word documents to infiltrate systems. However, the group has now transitioned to a more intricate infection chain involving PDF documents and ClickOnce applications. This shift aims to bypass contemporary security measures and enhance the effectiveness of their attacks.
Spear-Phishing Campaigns
The attack sequence begins with meticulously crafted spear-phishing emails tailored to regional contexts. These emails contain attachments with titles such as Inter-ministerial meeting Credentials.pdf and Relieving order New Delhi.pdf, designed to appear as official documents. Upon opening these PDFs, recipients are prompted to download what seems to be an updated version of Adobe Reader. Clicking the embedded button initiates the download of a ClickOnce application from servers controlled by the attackers.
Exploitation of ClickOnce Deployment
ClickOnce is a Microsoft technology that facilitates the deployment of Windows-based applications with minimal user intervention. SideWinder exploits this framework by distributing applications that carry valid digital signatures from MagTek Inc. Rather than stealing certificates, the attackers employ DLL side-loading techniques using legitimate MagTek binaries. This method allows the malicious applications to circumvent Windows security warnings and execute without arousing suspicion.
Advanced Evasion Tactics
Security analysts from Trellix uncovered the campaign’s sophisticated evasion strategies during the fourth wave of attacks. SideWinder implemented geofencing to restrict payload delivery exclusively to IP addresses within targeted regions. This tactic effectively prevents security researchers outside South Asia from accessing live malware samples, complicating analysis efforts. Additionally, the attackers utilized dynamically generated URLs with random numeric components and time-limited payload availability, ensuring that malicious components remained accessible only during brief windows immediately following the initial compromise.
Infection Chain and Malware Deployment
Once the ClickOnce application is executed, it drops a DLL file named DEVOBJ.dll alongside an encrypted payload file with randomized extensions such as .ns5 or .1ym. The DLL decrypts the payload using the first 42 bytes of the encrypted file as the key, revealing a .NET loader (App.dll). This loader downloads ModuleInstaller from the command-and-control server, which then profiles the compromised system and retrieves configuration files, including TapiUnattend.exe—a legitimate Windows binary—and wdscore.dll. The latter is side-loaded to execute the final-stage StealerBot malware.
Adaptive Behavior to Security Software
StealerBot exhibits adaptive behavior by detecting installed antivirus products and modifying its execution path accordingly. For instance, if Avast or AVG is detected, the malware uses mshta.exe for execution; if Kaspersky is present, it employs pcalua.exe. This adaptability enhances the malware’s ability to evade detection and maintain persistence on the infected system.
Abuse of ClickOnce Application Structure
The core strength of this infection chain lies in its exploitation of ClickOnce’s trusted application deployment framework. SideWinder weaponized the legitimate MagTek Reader Configuration application (version 1.5.13.2) by preserving its structural integrity while replacing critical components. The attackers substituted the authentic MagTek public key token (7ee65bc326f1c13a) with null values (0000000000000000) in the manifest, maintaining valid certificate chains to evade detection. The application’s branding was also modified from MagTek to Adobe Compatibility Suite, complete with an Adobe Reader icon replacement, aligning with the phishing lure’s premise.
Decoy Documents and Persistence Mechanisms
After execution, a decoy PDF document is displayed to the victim, maintaining the illusion of legitimate document processing while the malware establishes persistence and begins data exfiltration operations in the background. The StealerBot malware is designed for comprehensive espionage operations, capable of exfiltrating sensitive information from the compromised systems.
Operational Security Measures
SideWinder’s campaign infrastructure demonstrates deliberate impersonation of government ministries to enhance social engineering effectiveness. Domains such as mofa-gov-bd[.]filenest[.]live and mod-gov-bd[.]snagdrive[.]com were used to mimic official government websites. This combination of technical sophistication and operational security reflects an adversary committed to long-term espionage objectives against strategic regional targets.
Conclusion
The SideWinder APT group’s adoption of ClickOnce-based infection chains signifies a significant evolution in their attack methodologies. By leveraging trusted deployment frameworks and implementing advanced evasion techniques, they have enhanced their ability to infiltrate and persist within targeted systems. This campaign underscores the necessity for organizations, particularly those in diplomatic and governmental sectors, to remain vigilant and adopt comprehensive security measures to defend against such sophisticated threats.
