SideWinder APT Shifts to PDF/ClickOnce Chain to Target South Asian Diplomacy with StealerBot

Trellix Advanced Research Center (ARC) has exposed a sophisticated espionage campaign conducted by the SideWinder APT group, targeting multiple South Asian diplomatic entities — including embassies and government institutions from India, Pakistan, Bangladesh, and Sri Lanka. The campaign represents a major tactical shift for the threat actor, featuring a novel PDF and ClickOnce-based infection chain designed to bypass traditional defenses and deliver custom malware for intelligence collection.

According to Trellix, “Our investigation reveals a notable evolution in SideWinder’s TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors.”

The espionage campaign was first detected in September 2025, when Trellix analysts observed a phishing wave targeting a European embassy in New Delhi. Further investigation uncovered a series of operations extending across South Asia, affecting government bodies and defense institutions in Sri Lanka, Pakistan, and Bangladesh.

Trellix reported that “the phishing campaign occurred in multiple waves during 2025, each featuring unique themes designed for specific diplomatic targets from different countries in Asia.” These lures distributed two of SideWinder’s signature espionage tools — ModuleInstaller and StealerBot — through fake PDF and Word documents masquerading as official communications.

Trellix’s timeline reveals four major phishing waves spanning from March to September 2025:

• March–April: Documents titled “Hajj Training 2025.pdf” and “Integrated Hajj Medical Team 2025.pdf” targeted Bangladeshi institutions, encouraging victims to “download the latest Adobe Reader version” from malicious domains such as hajjtraining2025[.]moragovt[.]net and cadetcollege[.]adobeglobal[.]com.
• April–August: A second wave hit Pakistani diplomats, using decoy documents such as “Induction of Weapons in CSD for Officers and JCOs.pdf” and “Appointment as Coordinator to the Prime Minister on Right Sizing.pdf.” These delivered exploits for CVE-2017-0199 and were hosted on pimec-paknavy[.]updates-installer[.]store.
• June–September: The third phase targeted Sri Lankan defense authorities with PDFs like “Annual Transfers of Officers in the Joint Services 2026.pdf”.
• September: The final wave focused on foreign diplomats in India, with files titled “Inter-ministerial meeting Credentials.pdf” and “Relieving order New Delhi.pdf”, distributed from spoofed Pakistani defense domains such as mod-gov-bd[.]snagdrive[.]com and mofa-gov-bd[.]filenest[.]live.

The most innovative aspect of SideWinder’s latest campaign is its PDF-based delivery mechanism, which integrates with a ClickOnce application to deploy the malware payload.

Each PDF lure contains a fake “Update Adobe Reader” button. When clicked, it downloads a signed ClickOnce application from a command-and-control (C2) domain such as mofa-gov-bd[.]filenest[.]live.

“Once the victim clicks the button, a ClickOnce application is downloaded from the CnC server,” Trellix explained. “When executed, it will download and execute the following stages. Every request to the CnC is geographically blocked, and the path is dynamically generated, which significantly complicates the analysis of samples.”

The attackers abused a legitimate digital signature from MagTek Inc., not by stealing certificates, but through DLL side-loading. They rebranded MagTek’s Reader Configuration utility as “Adobe Compatibility Suite”, replacing its original icon and configuration files with malicious components while keeping the digital signature valid.

Trellix highlighted, “The attackers replaced the authentic MagTek public key token with null values while maintaining valid certificate chains to avoid immediate detection.”

After execution, the ClickOnce app installs a malicious DLL (DEVOBJ.dll) that decrypts an encrypted payload file using a 42-byte XOR key. The decrypted module (App.dll) acts as a .NET loader, downloading the next stage from the C2 server — the ModuleInstaller malware.

ModuleInstaller then fetches a configuration file listing several components, including:

• wdscore.dll (main stealer module)
• TapiUnattend.exe (legitimate binary used for DLL hijacking)
• IPHelper.dll (proxy and network plugin)

The stealer, dubbed StealerBot, exfiltrates sensitive system data, credentials, and network information. It employs persistence mechanisms under directories like %appdata%\fastlanes and mimics legitimate application behavior with decoy PDFs, such as “Public–Private Partnership Bill.pdf”, to avoid suspicion.

Trellix’s infrastructure analysis reveals extensive OPSEC measures employed by SideWinder to frustrate researchers and evade detection.

The group uses geofencing, ensuring that payloads are only delivered to victims in South Asia — while researchers elsewhere receive blank 404 pages. URLs are dynamically generated for each victim session, and payloads exist only for brief windows before being taken offline.

The report explains, “All HTTPS requests for second-stage payloads were restricted by geolocation. If the requesting IP was not from the intended target region, the server would respond with 404 content.”

Trellix confidently attributes this campaign to the SideWinder APT, a threat group long associated with espionage in South Asia.

“The targeted institutions belong to the public administration of countries such as Sri Lanka, Pakistan, and Bangladesh — all of which are frequently in SideWinder’s crosshairs due to existing geopolitical tensions in the region,” Trellix stated.

The reuse of infrastructure (updates-installer[.]store) and consistent use of proprietary tools like ModuleInstaller and StealerBot align with the group’s historic patterns.

Trellix concluded, “The structure of the phishing emails, the themes of the lures, and the use of CVE-2017-0199 and fake Adobe Reader updates are tactics that SideWinder has consistently leveraged to achieve initial compromise.”

Related Posts:

• SideWinder APT Group: Maritime & Nuclear Targets, Evolved Malware
• SideWinder APT: A Decade of Evolution and Global Expansion
• SideWinder APT Launches Operation SouthNet, Weaponizing Netlify and Pages.dev for Espionage
• OneClik” APT Unmasked: China-Linked Campaign Abuses Microsoft ClickOnce & AWS Cloud to Target Energy Sector
• OneDrive Users Targeted in Sophisticated Phishing and Downloader Campaign