Executive Summary

The SideWinder advanced persistent threat (APT) group has recently demonstrated a significant evolution in its cyber-espionage operations, targeting South Asian diplomatic and governmental entities with a novel attack chain leveraging the ClickOnce deployment technology. This campaign, active throughout 2024 and into 2025, marks a departure from SideWinder’s traditional reliance on Microsoft Office exploits, instead utilizing malicious PDF lures that direct victims to download and execute a ClickOnce application. The infection chain abuses legitimate, signed binaries—most notably MagTek’s ReaderConfiguration.exe—to sideload custom malware, including the ModuleInstaller loader and the StealerBot information stealer. The campaign’s sophistication is underscored by its use of geofencing, dynamic infrastructure, and session-specific payloads, all designed to evade detection and maximize operational security. This report provides a comprehensive technical analysis of the attack chain, the threat actor’s profile, observed exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

SideWinder, also tracked as Rattlesnake and T-APT-04, is a prolific APT group with a well-documented history of targeting military, diplomatic, and government organizations across South Asia. The group is believed to be motivated by geopolitical intelligence gathering, with a focus on India, Pakistan, Bangladesh, Sri Lanka, and related diplomatic missions. SideWinder is known for its rapid adaptation of new TTPs (tactics, techniques, and procedures), frequent use of spear-phishing, and the development of custom malware families. The group’s infrastructure is characterized by the use of ephemeral domains, geofenced payload delivery, and the abuse of legitimate software for defense evasion. SideWinder’s campaigns are notable for their operational security, including the use of valid code-signing certificates and session-specific malware builds, making attribution and detection particularly challenging.

Technical Analysis of Malware/TTPs

The latest SideWinder campaign introduces a multi-stage attack chain that begins with highly targeted spear-phishing emails. These emails contain malicious PDF attachments with themes relevant to diplomatic and governmental operations, such as “Inter-ministerial meeting Credentials.pdf” and “Hajj training 2025.pdf.” The PDFs are weaponized with embedded links or buttons that prompt the recipient to “download the latest Adobe Reader.” When clicked, the victim is redirected to an attacker-controlled domain, such as mofa-gov-bd.filenest[.]live or hajjtraining2025[.]moragovt[.]net, where a ClickOnce application is offered for download.

The ClickOnce application is a repackaged version of MagTek’s ReaderConfiguration.exe (version 1.5.13.2), a legitimate and digitally signed binary. The attackers rebrand this executable as “Adobe Compatibility Suite” and sign it with a valid certificate, allowing it to bypass many endpoint security controls. Upon execution, the application sideloads a malicious DEVOBJ.dll into its process space. This DLL acts as a loader, decrypting and executing the next-stage payload, ModuleInstaller, a custom .NET-based loader.

ModuleInstaller performs extensive system profiling, collecting information about the host environment, network configuration, and user privileges. It then establishes contact with a command-and-control (C2) server, using session-specific URLs and manifests to download additional payloads. The primary payload delivered in this campaign is StealerBot, a .NET implant with capabilities for reverse shell access, additional malware delivery, and comprehensive data exfiltration. StealerBot is capable of capturing screenshots, logging keystrokes, harvesting credentials, and exfiltrating files of interest.

The infection chain further abuses legitimate binaries such as TapiUnattend.exe for additional DLL sideloading, increasing persistence and complicating forensic analysis. The attackers employ geofencing to restrict payload delivery to IP addresses originating from South Asia, and use time-locked payloads and dynamic infrastructure to limit the window of opportunity for detection and analysis. Each victim receives a unique ClickOnce manifest and component hash, further complicating signature-based detection.

Exploitation in the Wild

The SideWinder ClickOnce-based campaign has been observed targeting a range of diplomatic and governmental organizations across South Asia. Confirmed victims include embassies in New Delhi, government ministries in Sri Lanka, Pakistan, and Bangladesh, and other entities involved in regional security and policy. The attackers’ use of spear-phishing emails with highly relevant lures has resulted in successful initial access in multiple cases. The campaign’s infrastructure is highly dynamic, with domains such as cadetcollege[.]adobeglobal[.]com, pimec-paknavy[.]updates-installer[.]store, and cabinet-gov-pk[.]dytt888[.]net being registered and abandoned in rapid succession.

In several instances, the attackers have also leveraged the well-known CVE-2017-0199 vulnerability in Microsoft Office to deliver malicious documents in parallel with the ClickOnce-based infection chain. This dual-pronged approach increases the likelihood of successful compromise, particularly in environments with heterogeneous software deployments. The use of valid code-signing certificates and legitimate binaries has enabled the attackers to evade many traditional security controls, resulting in successful data exfiltration and persistent access in targeted environments.

Victimology and Targeting

The primary targets of this campaign are diplomatic missions, government ministries, and military organizations in India, Pakistan, Bangladesh, and Sri Lanka. The attackers have demonstrated a deep understanding of regional political dynamics, crafting lures that reference ongoing diplomatic events, military transfers, and inter-ministerial meetings. The sender domains used in the spear-phishing emails closely mimic legitimate government addresses, such as mod.gov.bd.pk-mail[.]org, increasing the likelihood of successful social engineering. The campaign’s geofencing measures indicate a deliberate focus on South Asian targets, with payloads being selectively delivered based on the victim’s IP address. There is evidence to suggest that the attackers have also targeted embassies of non-regional countries located in New Delhi, further underscoring the campaign’s geopolitical focus.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risks posed by this campaign. All network traffic to and from the identified malicious domains, including mofa-gov-bd.filenest[.]live, hajjtraining2025[.]moragovt[.]net, cadetcollege[.]adobeglobal[.]com, pimec-paknavy[.]updates-installer[.]store, cabinet-gov-pk[.]dytt888[.]net, www-treasury-gov-lk[.]snagdrive[.]com, and mod.gov.bd.pk-mail[.]org, should be blocked and closely monitored. Security teams should restrict the execution of ClickOnce applications from untrusted or unknown sources, and consider disabling ClickOnce deployment where operationally feasible.

Endpoint detection and response (EDR) solutions should be configured to alert on suspicious DLL sideloading activity, particularly involving MagTek’s ReaderConfiguration.exe and TapiUnattend.exe. All systems should be updated and patched to address known vulnerabilities, including CVE-2017-0199 in Microsoft Office. User awareness training should emphasize the risks associated with opening unsolicited email attachments and executing software from untrusted sources, even when the software appears to be digitally signed or branded as a legitimate application.

Security operations centers should monitor for the presence of the following malicious files: ReaderConfiguration.exe (rebranded and repackaged), DEVOBJ.dll (malicious loader), ModuleInstaller (custom .NET loader), StealerBot (custom .NET implant), TapiUnattend.exe (used for sideloading), wdscore.dll, and IPHelper.dll (malware components). Any detection of these files or related network activity should be treated as a high-priority incident.

References

• Trellix Research: SideWinder’s Shifting Sands: Click Once for Espionage

• The Hacker News: SideWinder Adopts New ClickOnce-Based Attack Chain

• GBHackers: SideWinder Leverages ClickOnce Installer to Deliver StealerBot Malware

• Kaspersky: SideWinder APT Analysis

• MITRE ATT&CK - SideWinder

• NVD CVE-2017-0199

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, continuous monitoring, and automated workflows to empower security teams with actionable insights and proactive defense capabilities. For more information about how Rescana can help your organization strengthen its cyber resilience, we are happy to answer questions at ops@rescana.com.