"The activity "reveals a notable evolution in SideWinder's TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors," Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week. The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts."
"While ModuleInstaller serves as a downloader for next-stage payloads, including StealerBot, the latter is a .NET implant that can launch a reverse shell, deliver additional malware, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files. It should be noted that both ModuleInstaller and StealerBot were first publicly documented by Kaspersky in October 2024 as part of attacks mounted by the hacking group targeting high-profile entities and strategic infrastructures in the Middle East and Africa."
SideWinder targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan, and Bangladesh with spear-phishing conducted in four waves from March through September 2025. The actor adopted a novel PDF and ClickOnce-based infection chain alongside prior Microsoft Word exploit vectors. The campaigns delivered ModuleInstaller, a downloader for next-stage payloads, and StealerBot, a .NET implant capable of reverse shells, additional payload delivery, and wide-ranging data theft including screenshots, keystrokes, passwords, and files. ModuleInstaller and StealerBot were publicly documented in October 2024, and related attacks were observed against regional government institutions earlier in 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]