SideWinder, a known hacking group, has launched a new cyber campaign targeting diplomats and government organizations across South Asia. Security experts from the Trellix Advanced Research Center uncovered this operation and revealed that the group is now using PDF files and ClickOnce installers to spread malware. This shows how SideWinder continues to evolve its techniques to stay ahead of security defenses.

The attackers sent fake emails that looked official and included malicious PDF attachments. These PDFs appeared trustworthy and even contained a button that said “Download latest Adobe Reader.” When someone clicked the button, it secretly launched a ClickOnce installer from the attackers’ servers, which then downloaded harmful programs onto the victim’s system.

Researchers linked this campaign to SideWinder with strong evidence. They identified two key malware tools used in the attack one called ModuleInstaller, which downloaded additional payloads, and another named StealerBot, which acted as the final spy tool. Together, these tools allowed the attackers to steal information and control infected systems remotely.

To make detection harder, the hackers used several smart tricks. They set up their servers to only deliver malware to people in specific countries, making analysis difficult. Each victim received unique URLs and file hashes, preventing easy tracking. The attackers also hid their malware behind legitimate-looking, digitally signed files to avoid suspicion.

The phishing documents were carefully designed to look real and relevant. Some used topics like official notices, defense updates, or travel-related forms, depending on the target. These fake documents made it easier to convince victims from diplomatic and government sectors to click the links.

The campaign ran in several waves during 2025, showing continuous targeting efforts. Victims included a European embassy in New Delhi and government offices in Pakistan, Bangladesh, and Sri Lanka. Each wave used the same infection method but improved it slightly to make it more effective and harder to detect.

This attack is dangerous because it uses trusted-looking files and legitimate Microsoft tools like ClickOnce. Many users assume PDF documents and system updates are safe, which helps attackers trick their targets. The goal was clearly to spy on sensitive communications and gather confidential information.

Experts advise users and organizations to be extra cautious with unexpected email attachments. Avoid clicking on “update” buttons inside documents and always download updates directly from official websites. IT teams should also monitor for strange ClickOnce activities, side-loaded DLLs, and suspicious connections to unknown servers. Strengthening email security and employee awareness remains the best defense against such targeted attacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news