Key Takeaways
The Campaign
SideWinder’s infection chain continues to rely on spear-phishing emails as the primary vector. These campaigns deploy DOCX attachments, utilizing remote template injection to retrieve an RTF file from attacker-controlled infrastructure. The RTF exploits CVE-2017-11882, a vulnerability in Microsoft Office’s Equation Editor, to execute shellcode that deploys a modular component, dubbed “Backdoor Loader” by Kaspersky. This loader facilitates the delivery of StealerBot, a custom-built espionage toolkit designed for data exfiltration. The phishing lures are meticulously crafted, often masquerading as documents related to nuclear power infrastructure or maritime operations, aligning with the targeted entities.
Geographic and sectoral expansion is evident. In 2025, attack clusters were observed in Djibouti, followed by a shift to Egypt, with additional activity targeting nuclear-related organizations in South Asia. The group has also targeted logistics and maritime firms across Southeast Asia, alongside diplomatic targets in Afghanistan, Algeria, Bulgaria, and elsewhere. Affected countries include Bangladesh, Cambodia, Vietnam, and others, with telecommunications, IT services, and hospitality sectors also impacted. This broadening scope underscores SideWinder’s intent to compromise critical infrastructure and supply chains.
SideWinder’s recent activity also demonstrates sophistication and agility in toolset maintenance. The group actively monitors detection rates, generating updated malware variants within five hours of identification by security solutions. While StealerBot’s core functionality remains stable, the supporting loaders undergo frequent modifications to circumvent behavioral analysis and signature-based detection. Continued reliance on CVE-2017-11882 suggests a pragmatic approach, leveraging unpatched systems rather than investing in 0-day exploits.
Who is SideWinder?
SideWinder, also known as APT-C-17, Rattlesnake, and T-APT-04, is an APT group that has been active since at least 2012. While industry researchers are uncertain of their origin, the group is thought to be of Indian nexus. Verticals targeted by Sidewinder include government, defense, logistics, financial, education, telecommunications, and ONG. The group has targeted entities in multiple countries, including Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey and the UAE. However, their primary focus seems to be entities in Pakistan. Based on SideWinder’s expanded targeting, use of new TTPs, and their ability to quickly adapt to the threat landscape, PolySwarm analysts consider SideWinder to be an evolving threat.
PolySwarm has multiple samples associated with this campaign.
865f5b3b1ee94d89ad9a9840f49a17d477cddfc3742c5ef78d77a6027ad1caa5
fa95fadc73e5617305a6b71f77e9d255d14402650075107f2272f131d3cf7b00
aacaf712cf67176f159657be2fbd0fce018aa03b890cb1616b146eddb1de73be
512a83f1a6c404cb0ba679c7a2f3aa782bb5e17840d31a034de233f7500a6cb9
57d761453bbc6ba9ace467f4491d7a19b9c7e097f81d9772efbcd2f43ada4dce
76daea942654d8175f642696fc758b03767db14ca5dda9994797a3f95a34294a
30735312101e60a697f161abba62ca359eed240d2e612b1ff7bed6523b28730d
5740947bb9267e1be8281edc31b3fb2d57a71d2c96a47eeeaa6482c0927aa6a4
You can use the following CLI command to search for all associated samples in our portal:
$ polyswarm link list -t SideWinder
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.