A European embassy in New Delhi and several organizations across Sri Lanka, Pakistan, and Bangladesh have been hit by a new wave of cyberattacks orchestrated by the threat actor SideWinder. The campaign, which began in March 2025 and continued through September 2025, reflects a major evolution in the group’s tactics, techniques, and procedures (TTPs), according to cybersecurity firm Trellix.
The report by Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc highlights that the latest activity “reveals a notable evolution in SideWinder’s TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors.”
The cyber offensive relied on spear-phishing emails sent in four waves, delivering malware strains such as ModuleInstaller and StealerBot, designed to steal sensitive data and infiltrate targeted networks. ModuleInstaller operates as a downloader for next-stage payloads, while StealerBot—a .NET-based implant—is capable of executing reverse shells, installing additional malware, and exfiltrating screenshots, keystrokes, passwords, and documents from infected machines.
These two malware families were first disclosed by Kaspersky in October 2024, linked to attacks targeting high-value entities and critical infrastructure in the Middle East and Africa. More recently, in May 2025, Acronis identified SideWinder campaigns targeting government agencies in Sri Lanka, Bangladesh, and Pakistan, exploiting Microsoft Office vulnerabilities to deliver StealerBot.
In the latest phase, observed post September 1, 2025, the attackers focused on the Indian diplomatic network, distributing phishing emails containing malicious Word and PDF attachments with bait titles like “Inter-ministerial meeting Credentials.pdf” and “India-Pakistan Conflict – Strategic and Tactical Analysis of the May 2025.docx.” The emails were spoofed to appear from a Pakistani Ministry of Defense domain (“mod.gov.bd.pk-mail[.]org”).
Trellix explained that “the initial infection vector is always the same: a PDF file that cannot be properly seen by the victim or a Word document that contains some exploit.” Victims are urged to download a fake Adobe Reader update, which actually triggers a ClickOnce application download from “mofa-gov-bd.filenest[.]live.” This legitimate executable from MagTek Inc., disguised as Adobe Reader, sideloads a malicious DLL (“DEVOBJ.dll”) while displaying a decoy document to avoid suspicion.
This DLL decrypts and executes the ModuleInstaller loader, which then installs StealerBot and communicates with region-restricted command-and-control (C2) servers.
Trellix concluded that “the multi-wave phishing campaigns demonstrate the group’s adaptability in crafting highly specific lures for various diplomatic targets, indicating a sophisticated understanding of geopolitical contexts. The consistent use of custom malware, such as ModuleInstaller and StealerBot, coupled with the clever exploitation of legitimate applications for side-loading, underscores SideWinder’s commitment to sophisticated evasion techniques and espionage objectives.”
