Sidewinder Adopts New Clickonce-based Attack Chain Targeting S...

A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025.

The activity "reveals a notable evolution in SideWinder's TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors," Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week.

The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts.

While ModuleInstaller serves as a downloader for next-stage payloads, including StealerBot, the latter is a .NET implant that can launch a reverse shell, deliver additional malware, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files.

It should be noted that both ModuleInstaller and StealerBot were first publicly documented by Kaspersky in October 2024 as part of attacks mounted by the hacking group targeting high-profile entities and strategic infrastructures in the Middle East and Africa.

As recently as May 2025, Acronis revealed SideWinder's attacks aimed at government institutions in Sri Lanka, Bangladesh, and Pakistan using malware-laden documents susceptible to known Microsoft Office flaws to launch a multi-stage attack chain and ultimately deliver StealerBot.

The latest set of attacks, observed by Trellix post September 1, 2025, and targeting Indian embassies, entails the use of Microsoft Word and PDF documents in phishing emails with titles such as "Inter-ministerial meeting Credentials.pdf" or "India-Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx." The messages are sent from the domain "mod.gov.bd.pk-mail[.]org" in an attempt to mimic the Ministry of Defense of Pakistan.

"The initial infection vector is always the same: a PDF file that cannot be properly seen by the victim or a Word document that contains some exploit," Trellix said. "The PDF files contain a button that urges the victim to download and install the latest version of Adobe Reader to view the document's content."

Doing so, however, triggers the download of a ClickOnce application from a remote

Source: The Hacker News