SideWinder’s New ClickOnce Attack Targets South Asian Diplomats
Article Text:
In September 2025, the SideWinder advanced persistent threat (APT) group launched a sophisticated cyber-espionage campaign targeting diplomatic entities across South Asia, including embassies and government institutions in India, Pakistan, Bangladesh, and Sri Lanka. This campaign signifies a strategic evolution in SideWinder’s tactics, incorporating a novel infection chain that leverages PDF documents and Microsoft’s ClickOnce deployment technology to deliver custom malware.
Evolution of Attack Techniques
Historically, SideWinder has relied on exploiting vulnerabilities in Microsoft Word documents to infiltrate target systems. However, recent findings by Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc reveal a shift towards using malicious PDF files combined with ClickOnce applications. This approach is designed to bypass traditional security measures and enhance the effectiveness of their phishing campaigns.
Detailed Attack Chain
The attack begins with spear-phishing emails containing malicious PDF attachments. These emails are crafted with subject lines pertinent to diplomatic affairs, such as Inter-ministerial meeting Credentials.pdf or India-Pakistan Conflict – Strategic and Tactical Analysis of the May 2025.docx. The emails are sent from domains mimicking legitimate government addresses, like mod.gov.bd.pk-mail[.]org, to increase credibility.
Upon opening the PDF, the document prompts the recipient to download an Update Adobe Reader button, claiming it’s necessary to view the content. Clicking this button initiates the download of a ClickOnce application from an attacker-controlled domain, such as mofa-gov-bd.filenest[.]live. ClickOnce is a Microsoft technology that allows for the easy deployment of Windows applications, which, in this case, is exploited to deliver malware.
The downloaded ClickOnce application masquerades as an Adobe Reader installer but is actually a legitimate executable from MagTek Inc. (ReaderConfiguration.exe) that has been repurposed by the attackers. This executable is signed with a valid certificate to avoid raising security alarms. When executed, it sideloads a malicious DLL named DEVOBJ.dll, which decrypts and launches a .NET loader called ModuleInstaller. ModuleInstaller then profiles the infected system and delivers the StealerBot malware.
Malware Capabilities
StealerBot is a .NET-based implant capable of executing a range of malicious activities, including:
– Establishing a reverse shell for remote command execution.
– Delivering additional malware payloads.
– Collecting sensitive data such as screenshots, keystrokes, passwords, and files from the compromised host.
Both ModuleInstaller and StealerBot were first publicly documented by Kaspersky in October 2024, highlighting their use in attacks targeting high-profile entities and strategic infrastructures in the Middle East and Africa.
Geopolitical Context and Targeting
SideWinder’s campaign demonstrates a deep understanding of regional political dynamics, crafting lures that reference ongoing diplomatic events and military analyses. The consistent use of custom malware, coupled with the exploitation of legitimate applications for side-loading, underscores SideWinder’s commitment to sophisticated evasion techniques and espionage objectives.
Mitigation Strategies
Organizations are advised to implement a multi-layered defense strategy to mitigate the risks posed by such campaigns:
– Email Security: Deploy advanced email filtering solutions to detect and block phishing attempts.
– User Training: Educate employees on recognizing phishing emails and the dangers of downloading attachments from unknown sources.
– Application Control: Restrict the execution of ClickOnce applications from untrusted or unknown sources, and consider disabling ClickOnce deployment where operationally feasible.
– Endpoint Detection: Utilize endpoint detection and response (EDR) solutions to monitor for suspicious activities, such as unauthorized DLL sideloading.
– Patch Management: Ensure all systems are updated and patched to address known vulnerabilities, including those in Microsoft Office products.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by the SideWinder APT group.
