Sidewinder Using New Tools to Target Maritime and Nuclear Sectors

SIDEWINDER Verticals Targeted: Maritime, Nuclear

Executive Summary

SideWinder, an APT group thought to be of Indian nexus, was recently observed using new TTPs and expanding their targeting to include entities in the maritime and nuclear energy sectors.

Key Takeaways

SideWinder was recently observed using new TTPs and expanding their targeting to include entities in the maritime and nuclear energy sectors.
The threat actors used a targeted phishing campaign to deliver StealerBot, a custom-built espionage toolkit.
Based on SideWinder’s expanded targeting, use of new TTPs, and their ability to quickly adapt to the threat landscape, PolySwarm analysts consider SideWinder to be an evolving threat.

The Campaign

SideWinder, active since 2012, has historically targeted government, military, and diplomatic entities, predominantly in South and Southeast Asia. Recent intelligence indicates an expansion of their operational focus to include maritime and nuclear energy sectors. The group was also observed using new TTPs in this campaign. Kaspersky Securelist reported on this activity.

SideWinder’s infection chain continues to rely on spear-phishing emails as the primary vector. These campaigns deploy DOCX attachments, utilizing remote template injection to retrieve an RTF file from attacker-controlled infrastructure. The RTF exploits CVE-2017-11882, a vulnerability in Microsoft Office’s Equation Editor, to execute shellcode that deploys a modular component, dubbed “Backdoor Loader” by Kaspersky. This loader facilitates the delivery of StealerBot, a custom-built espionage toolkit designed for data exfiltration. The phishing lures are meticulously crafted, often masquerading as documents related to nuclear power infrastructure or maritime operations, aligning with the targeted entities.

Geographic and sectoral expansion is evident. In 2025, attack clusters were observed in Djibouti, followed by a shift to Egypt, with additional activity targeting nuclear-related organizations in South Asia. The group has also targeted logistics and maritime firms across Southeast Asia, alongside diplomatic targets in Afghanistan, Algeria, Bulgaria, and elsewhere. Affected countries include Bangladesh, Cambodia, Vietnam, and others, with telecommunications, IT services, and hospitality sectors also impacted. This broadening scope underscores SideWinder’s intent to compromise critical infrastructure and supply chains.

SideWinder’s recent activity also demonstrates sophistication and agility in toolset maintenance. The group actively monitors detection rates, generating updated malware variants within five hours of identification by security solutions. While StealerBot’s core functionality remains stable, the supporting loaders undergo frequent modifications to circumvent behavioral analysis and signature-based detection. Continued reliance on CVE-2017-11882 suggests a pragmatic approach, leveraging unpatched systems rather than investing in 0-day exploits.

Who is SideWinder?

SideWinder, also known as APT-C-17, Rattlesnake, and T-APT-04, is an APT group that has been active since at least 2012. While industry researchers are uncertain of their origin, the group is thought to be of Indian nexus. Verticals targeted by Sidewinder include government, defense, logistics, financial, education, telecommunications, and ONG. The group has targeted entities in multiple countries, including Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey and the UAE. However, their primary focus seems to be entities in Pakistan. Based on SideWinder’s expanded targeting, use of new TTPs, and their ability to quickly adapt to the threat landscape, PolySwarm analysts consider SideWinder to be an evolving threat.