A threat actor known as SideWinder is once again in the spotlight after launching a targeted cyber campaign against high-level government institutions across Sri Lanka, Bangladesh, and Pakistan. According to new findings by Acronis, the attacks used carefully crafted spear-phishing emails combined with geofenced payloads—ensuring only victims from specific countries received the malicious content. This latest wave of SideWinder cyberattacks in South Asia is believed to have begun earlier this year and reflects a strategic effort to infiltrate sensitive government departments.
Among the identified targets are Bangladesh’s Ministry of Defence and Telecommunication Regulatory Commission, Pakistan’s Directorate of Indigenous Technical Development, and Sri Lanka’s Ministry of Defence and Central Bank.
The infection chain kicks off when victims open a malicious email attachment—typically an RTF file embedded with a remote code execution exploit. These files take advantage of years-old Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882), which remain viable entry points for attackers when left unpatched.
Once executed, the exploit delivers a secondary payload via DLL side-loading—a known evasion tactic—eventually installing a malware strain dubbed StealerBot. This .NET-based implant collects a wide range of sensitive information, from keystrokes and screenshots to stored passwords and files. It can also drop more malware and establish reverse shell access, effectively giving SideWinder full remote control over infected systems.
A standout tactic in this campaign is SideWinder’s use of geofenced payload delivery. If the recipient’s IP address doesn’t align with the attacker’s regional targeting filters, the decoy file will appear empty—allowing SideWinder to avoid detection while still appearing benign. This level of operational discipline showcases the group’s focus on maintaining stealth and minimizing exposure.
These cyberattacks closely mirror another SideWinder campaign reported by Kaspersky in March 2025. Both operations show the group’s continued reliance on stealthy delivery mechanisms and outdated—but still effective—Office-based exploits.
Acronis researchers noted that SideWinder maintains a steady operational rhythm without long breaks, a sign of strong organizational backing and ongoing mission continuity. “There’s a high degree of control and precision here,” the report said. “These payloads are highly tailored and often disappear after a short period—making forensic tracing difficult.”
With advanced targeting techniques, selective delivery, and persistent malware deployment, SideWinder is reinforcing its role as one of the most active and precise threat actors operating in South Asia today. The group’s continued exploitation of old vulnerabilities also serves as a reminder of the critical need for patch management in government systems.
