\n<\/p>\n
High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder.<\/p>\n
“The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content,” Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas Thevendaran said in a report shared with The Hacker News.<\/p>\n
The attack chains leverage spear-phishing lures as a starting point to activate the infection process and deploy a known malware referred to as StealerBot. It’s worth pointing out that the modus operandi is consistent with recent SideWinder attacks documented by Kaspersky in March 2025.<\/p>\n
<\/p>\n
Some of the targets of the campaign, per Acronis, include Bangladesh’s Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan’s Directorate of Indigenous Technical Development; and Sri Lanka’s Department of External Resources, Department of Treasury Operations, Ministry of Defence, and Central Bank.<\/p>\n
The attacks are characterized by the use of years-old remote code execution flaws in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) as initial vectors to deploy malware capable of maintaining persistent access in government environments across South Asia.<\/p>\n
<\/p>\n
The malicious documents, when opened, trigger an exploit for CVE-2017-0199 to deliver next-stage payloads that are responsible for installing StealerBot by means of DLL side-loading techniques.<\/p>\n
One noteworthy tactic adopted by SideWinder is that the spear-phishing emails are coupled with geofenced payloads to ensure that only victims meeting the targeting criteria are served the malicious content. In the event the victim’s IP address does not match, an empty RTF file is sent instead as a decoy.<\/p>\n
The malicious payload is an RTF file that weaponizes CVE-2017-11882, a memory corruption vulnerability in the Equation Editor, to launch a shellcode-based loader that runs the StealerBot malware.<\/p>\n
<\/p>\n
StealerBot, according to Kaspersky, is a .NET implant that’s engineered to drop additional malware, launch a reverse shell, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files.<\/p>\n
“SideWinder has demonstrated consistent activity over time, maintaining a steady pace of operations without prolonged inactivity \u2014 a pattern that reflects organizational continuity and sustained intent,” the researchers said.<\/p>\n
“A closer analysis of their tactics, techniques, and procedures (TTPs) reveals a high degree of control and precision, ensuring that malicious payloads are delivered only to carefully selected targets, and often only for a limited time.”<\/p>\n
Found this article interesting? Follow us on Twitter _\uf099_ and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware Update ID THN:90459831F00E9055F260B7933321B29F Type thn…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,28,12,15,13,7,11,43,5],"class_list":["post-5303","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5303\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware Update ID THN:90459831F00E9055F260B7933321B29F Type thn...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5303\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-20T10:33:50+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware\",\"datePublished\":\"2025-05-20T10:33:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303\"},\"wordCount\":546,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5303#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303\",\"name\":\"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-20T10:33:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5303\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5303#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5303","og_locale":"en_US","og_type":"article","og_title":"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - zero redgem","og_description":"Security Update News Update Information Title South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware Update ID THN:90459831F00E9055F260B7933321B29F Type thn...","og_url":"https:\/\/zero.redgem.net\/?p=5303","og_site_name":"zero redgem","article_published_time":"2025-05-20T10:33:50+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5303#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5303"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware","datePublished":"2025-05-20T10:33:50+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5303"},"wordCount":546,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","HIGH","news","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5303#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5303","url":"https:\/\/zero.redgem.net\/?p=5303","name":"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-20T10:33:50+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5303#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5303"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5303#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5303"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5303\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}