The cyber espionage group known as SideWinder has been identified as the orchestrator of a new campaign targeting high-value entities in South Asia. The targets include a European embassy located in New Delhi, India, as well as multiple organizations throughout Sri Lanka, Pakistan, and Bangladesh. This latest activity, which was observed through September 2025, signals a significant evolution in the threat actor’s operational playbook.

Evolution in TTPs: The ClickOnce Infection Chain

According to a recent report published by Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc, the campaign showcases “a notable evolution in SideWinder’s TTPs.” The group has adopted a novel infection chain that leverages PDF files and ClickOnce technology. This marks a tactical expansion beyond their previously documented Microsoft Word exploit vectors. The attacks were executed through highly targeted spear-phishing emails, which were dispatched in four distinct waves over a seven-month period from March through September 2025. This methodical approach underscores the group’s persistence and strategic focus on its diplomatic and organizational targets.

Dual-Malware Payload for Information Gathering

The ultimate goal of the campaign is to infiltrate target networks and exfiltrate sensitive data. To achieve this, SideWinder deploys a multi-stage malware infection process designed to compromise hosts. The spear-phishing emails are engineered to drop two primary malware families: ModuleInstaller and StealerBot. The ModuleInstaller component serves as a downloader, responsible for fetching and executing next-stage payloads. The main payload is StealerBot, a versatile .NET implant with advanced capabilities. StealerBot can establish a reverse shell for remote command execution and is also designed to deliver additional malicious modules, facilitating comprehensive information gathering from the infected systems.