sidewinder

SideWinder

also known as: Rattlesnake T-APT-04 Razor Tiger APT-C-17 Baby Elephant Hardcore Nationalist Leafperforator RagaSerpent GroupA21 APT-Q-39

SideWinder is a prolific, assessed Indian state-linked APT group operating since at least 2012, conducting intelligence-driven cyber espionage against government, military, diplomatic, maritime, and nuclear targets across South Asia, the Middle East, Southeast Asia, and Africa. The group is distinguished by its aggressive operational tempo, rapid post-detection retooling, and exclusive use of private implants — particularly StealerBot — that continue to evolve through confirmed campaigns into late 2025.

attributed origin India (assessed, not formally confirmed)

suspected sponsor Indian government (assessed)

first observed 2012

primary motivation Cyber espionage / Intelligence gathering

primary targets Military, Government, Maritime, Nuclear, Diplomatic

known campaigns Multiple confirmed (2012–2025)

mitre att&ck group G0121

target regions South Asia, Southeast Asia, Middle East, Africa, Mediterranean

threat level CRITICAL

Overview

SideWinder is one of the most operationally persistent APT groups tracked in the South Asian threat landscape. Active since at least 2012, the group was publicly named by Kaspersky in April 2018 and has since been extensively documented by Kaspersky, BlackBerry, Trellix, Acronis, Group-IB, Zscaler, and others. Attribution to India is assessed based on geopolitical targeting patterns, infrastructure behaviors, and the consistent focus on adversaries of Indian strategic interest — particularly Pakistan, China, Nepal, and Sri Lanka — though formal confirmation from any government has not been issued.

The group's operational tempo is notably high. Kaspersky logged more than 1,000 SideWinder intrusions in an 18-month window ending in 2022, and the group has since broadened its victimology significantly. By 2024, SideWinder was simultaneously running campaigns across Africa, Austria, Southeast Asia, and the Mediterranean basin. Kaspersky researchers described the group as "a highly advanced and dangerous adversary," citing its consistent ability to retool implants within hours of detection and maintain persistence even after many defenders believe remediation is complete.

A defining characteristic of SideWinder is its reliance on well-aged but reliably effective vulnerabilities — particularly CVE-2017-11882 and CVE-2017-0199 in Microsoft Office — paired with private, custom post-exploitation tooling that is not shared with other groups. The primary implant, StealerBot, first documented in 2024, is used exclusively by SideWinder and continues to be refined. The group's infrastructure spans more than 400 live domains at any given time, supported by hundreds of subdomains functioning as download servers, C2 nodes, and phishing portals.

In 2025, the group adopted a new ClickOnce and PDF-based infection chain alongside its established Word exploit vectors, targeting South Asian diplomatic entities with lures referencing the May 2025 India-Pakistan conflict. Confirmed campaigns through late 2025 include multi-wave spear-phishing operations against diplomatic missions in Bangladesh, Pakistan, Sri Lanka, and a European embassy in New Delhi. Researchers at ITSEC Asia also confirmed SideWinder had extended operations into Thailand and Indonesia by early 2026, suggesting continued geographic expansion.

Target Profile

SideWinder's targeting is intelligence-driven and geopolitically scoped. The group prioritizes entities of strategic relevance to Indian national security interests, with expanding sectoral focus since 2022.

Military and Defense: Defense ministries, armed forces email systems, and military logistical networks — especially within Pakistan, Nepal, Sri Lanka, and Bangladesh — have been consistent targets since 2012. Lure documents frequently impersonate official military correspondence, including personnel transfer notices and defense procurement documents.
Government and Diplomatic Entities: Foreign affairs departments and diplomatic missions across South Asia, the Middle East, and Africa. In 2024, SideWinder targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The 2025 campaign wave targeted a European embassy in New Delhi using phishing domains mimicking Pakistan's Ministry of Defense.
Maritime Infrastructure: Port authorities, logistics operators, and maritime facilities in the Indian Ocean and Mediterranean Sea emerged as a primary target category from 2024 onward. BlackBerry documented campaigns targeting ports in Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Kaspersky noted a further shift toward Egyptian targets following earlier Djibouti-focused activity.
Nuclear Energy Sector: Nuclear power plants and nuclear energy agencies in South Asia and Africa have been targeted since 2024, with lure documents referencing nuclear facilities specifically crafted to match institutional contexts. This represents a significant sectoral escalation from historical military and government focus.
Financial Institutions and Central Banks: Central banks and financial sector entities across South and East Asia were documented as targets during the 2021 campaign wave, which covered Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
Telecommunications and IT Services: Consulting firms, IT service companies, and telecom operators have appeared in SideWinder's target set alongside primary government and critical infrastructure targets, particularly during geographic expansion phases.

Tactics, Techniques & Procedures

SideWinder's TTP set is characterized by low-cost initial access using legacy vulnerabilities, followed by sophisticated multi-stage loaders and memory-resident implants. The group responds rapidly to detection — observed to modify and redeploy malware variants within five hours of tool exposure. C2 infrastructure rotates without rebuilding payloads, as configuration data including C2 server addresses is derived dynamically at runtime.

mitre id	technique	description
T1566.001	Spear-Phishing Attachment	Primary initial access vector. Geo-fenced, regionally tailored phishing emails deliver weaponized DOCX, RTF, and PDF attachments crafted to match institutional contexts of specific targets.
T1203	Exploitation for Client Execution	Exploits CVE-2017-11882 (Microsoft Office Equation Editor) and CVE-2017-0199 (remote template injection) as primary execution triggers. CVE-2025-2783 documented in 2025-era campaigns. Consistent reliance on older but unpatched vulnerabilities in target environments.
T1574.002	DLL Side-Loading	Legitimate signed binaries such as TapiUnattend.exe and MagTek ReaderConfiguration.exe are used to sideload malicious DLLs (wdscore.dll, DEVOBJ.dll), exploiting Windows signature verification gaps for ClickOnce-delivered components.
T1055	Process Injection	WarHawk backdoor employs KernelCallBackTable injection for kernel-level payload execution. StealerBot is loaded entirely in memory to avoid disk-based detection.
T1027	Obfuscated Files or Information	Multi-stage loaders use obfuscated JavaScript and .NET code. StealerBot's Backdoor Loader variants employ Control Flow Flattening extensively and enhanced anti-analysis routines. Payloads XOR-encrypted using file-derived keys.
T1071.001	Web Protocols (C2)	HTTPS-encrypted C2 communications over rotating infrastructure. C2 addresses derived dynamically at runtime, enabling full infrastructure rotation without payload rebuilds. Telegram also observed as an exfiltration channel.
T1053.005	Scheduled Task / Job	Persistence established through scheduled tasks and Windows service registration. Autostart scripts and UAC bypass techniques round out the persistence mechanism set.
T1555	Credentials from Password Stores	StealerBot targets RDP credentials, Windows credential stores, and browser-stored data using advanced hooking and token-grabbing plugins. Access to adjacent systems is pursued following initial credential theft.
T1113	Screen Capture	StealerBot includes a screenshot capture plugin. Combined with keylogging, this supports sustained surveillance of high-value targets without requiring additional tooling.
T1036	Masquerading	Backdoor Loader variants distributed under filenames mimicking legitimate Windows components (JetCfg.dll, policymanager.dll, winmm.dll, xmllite.dll, UxTheme.dll). Phishing domains crafted to impersonate official government entities such as Pakistan's Ministry of Defense.

rapid retooling

SideWinder has been observed modifying and redeploying altered malware variants within five hours of a tool being publicly exposed. Behavioral detections that trigger response typically result in changed persistence file paths, renamed components, and updated loader configurations — not operational pauses.

Known Campaigns

Confirmed or highly attributed operations linked to SideWinder based on public threat intelligence reporting.

South & East Asia Government Wave June–November 2021

A systematic, multi-month campaign targeting more than 60 government, military, central bank, and media entities across Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. Documented by Group-IB, the operation revealed previously undescribed tools and the breadth of SideWinder's infrastructure at the time.

Maritime Facilities — Indian Ocean & Mediterranean 2024

BlackBerry documented spear-phishing campaigns targeting port authorities and maritime logistics operators in Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. Lure documents referenced port procedures and maritime infrastructure. The RTF delivery chain exploited CVE-2017-11882 to execute multi-stage JavaScript loaders, with the end goal assessed as intelligence gathering against strategic shipping infrastructure.

Nuclear and Maritime Sector Expansion 2024

Kaspersky documented a significant expansion of SideWinder's targeting in H2 2024, adding nuclear power plants and energy agencies in South Asia and Africa alongside continued maritime targeting. Countries affected included Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri Lanka, UAE, and Vietnam. The StealerBot implant was deployed via updated Backdoor Loader variants featuring enhanced anti-analysis and Control Flow Flattening. Diplomatic targets were also hit across Algeria, Bulgaria, India, Rwanda, Saudi Arabia, Turkey, and Uganda.

South Asian Government Institutions — StealerBot Wave Early 2025

Acronis Threat Research Unit uncovered a campaign targeting high-level government institutions in Sri Lanka, Bangladesh, and Pakistan. Geo-fenced payloads ensured only victims in specified countries received malicious content. Shellcode-based loaders replaced the previously observed mshta.exe abuse pattern, with server-side polymorphism used for detection evasion. Lures included fabricated customs and military documents, including one impersonating the Sri Lanka Customs National Imports Tariff Guide 2025.

Multi-Wave Diplomatic Phishing — ClickOnce Chain March–September 2025

Trellix documented four phishing waves from March through September 2025 targeting diplomatic entities in Bangladesh, Pakistan, Sri Lanka, and a European embassy in New Delhi. A novel ClickOnce and PDF-based infection chain was introduced alongside the established Word exploit vectors, with PDF lures presenting a fake Adobe Reader update button that triggered ClickOnce application downloads. The MagTek ReaderConfiguration.exe binary was abused for DLL sideloading to deliver ModuleInstaller and ultimately StealerBot. Phishing domains impersonated Pakistan's Ministry of Defense. Later waves used lures referencing the May 2025 India-Pakistan conflict.

Southeast Asia Expansion — Thailand & Indonesia Late 2025–2026

ITSEC Asia researchers documented SideWinder (tracked as RagaSerpent) extending operations into Thailand from late 2025 and Indonesia from early 2026. The campaigns maintained the group's characteristic staged payload delivery and Windows service-based persistence, with C2 addresses derived dynamically at runtime. Careful operational scoping — including malware configurations that avoid interacting with certain network segments — indicated deliberate targeting rather than broad opportunistic compromise.

Tools & Malware

SideWinder maintains a private toolset not shared with other threat actors. The group continuously develops new loader iterations while keeping core implants stable, and adapts component filenames and paths rapidly in response to detection.

StealerBot: The group's primary post-exploitation implant, first documented by Kaspersky in October 2024 and used exclusively by SideWinder. A modular .NET toolkit loaded entirely in memory, StealerBot supports keystroke logging, screenshot capture, credential harvesting from RDP and browsers, reverse shell capability, secondary payload delivery, and data exfiltration. Its plugin architecture allows operators to extend functionality without changing the core binary.
Backdoor Loader (ModuleInstaller): A multi-stage .NET downloader that serves as the delivery mechanism for StealerBot. Distributed under varied filenames including JetCfg.dll, policymanager.dll, winmm.dll, xmllite.dll, dcntel.dll, and UxTheme.dll. Recent variants feature enhanced anti-analysis code and extensive Control Flow Flattening. The loader reads an XOR-encrypted payload, decrypts it using the file's first 21 bytes as the key, and executes the resulting SystemApp.dll in memory.
WarHawk Backdoor: A custom backdoor documented by Zscaler targeting Pakistan, designed to deliver Cobalt Strike as its final payload. Features KernelCallBackTable injection for kernel-level code execution, Pakistan Standard Time zone checks to validate victim environment, and dedicated modules for download-and-execute, command execution, and file exfiltration. Disguises itself as legitimate system applications.
Obfuscated JavaScript Loaders: Intermediate-stage shellcode loaders executed via mshta.exe or through ClickOnce application sideloading. Geo-fencing logic is incorporated at this stage to verify that the compromised system is a legitimate target before proceeding with further payload delivery.
Infrastructure (400+ domains): A large, actively managed network of domains and subdomains functioning as phishing portals, C2 servers, and download hosts. Infrastructure is rotated regularly, with C2 addresses embedded dynamically rather than hardcoded, allowing full rotation without payload rebuilds.

Indicators of Compromise

Publicly reported IOCs associated with SideWinder campaigns. Verify currency before operational use — infrastructure rotation is frequent and rapid.

warning

SideWinder rotates C2 infrastructure continuously and modifies loader binaries within hours of detection. IOCs below are drawn from public reporting and may be stale. Cross-reference with live threat intel feeds. YARA rules for hunting SideWinder are available through Kaspersky Intelligence Reporting and Group-IB subscribers.

indicators of compromise — 2025 campaign (trellix)

domain mod.gov.bd.pk-mail[.]org

domain mofa-gov-bd.filenest[.]live

filename DEVOBJ.dll

filename SystemApp.dll

filename wdscore.dll

lure filename India-Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx

lure filename Inter-ministerial meeting Credentials.pdf

lure filename Induction of Weapons in CSD for Officers and JCOs.pdf

loader filename JetCfg.dll / policymanager.dll / winmm.dll / xmllite.dll / dcntel.dll / UxTheme.dll

exploited cve CVE-2017-11882 — Microsoft Office Equation Editor RCE

exploited cve CVE-2017-0199 — Microsoft Office remote template injection

exploited cve CVE-2025-2783 — documented in 2025 campaign reporting

Mitigation & Defense

Organizations within SideWinder's established or emerging target profile — government, military, maritime, nuclear, and diplomatic sectors across South Asia, the Middle East, Southeast Asia, and Africa — should apply the following defensive measures.

Patch CVE-2017-11882 and CVE-2017-0199 immediately: SideWinder's continued reliance on these aged vulnerabilities means unpatched systems remain straightforwardly exploitable. Both flaws have had patches available since 2017. Any organization still running unpatched Microsoft Office versions is exposed to SideWinder's primary infection chain.
Disable or restrict Microsoft Office macro execution and remote template loading: Block external template injection by configuring the Office Trust Center to prevent automatic connections to remote template URLs. Consider Protected View enforcement for all externally sourced documents.
Deploy behavioral detection for DLL sideloading: SideWinder consistently abuses legitimate signed binaries to load malicious DLLs. Endpoint detection rules should flag unexpected DLL loads from application directories, particularly by binaries with valid signatures where the loaded DLL is not part of the signed package.
Monitor and restrict ClickOnce execution: The 2025 campaign wave introduced ClickOnce as an infection vector. Restrict or audit ClickOnce application installation, particularly for applications downloaded from non-enterprise sources or presented via browser prompts.
Implement spear-phishing awareness and geo-fencing awareness: SideWinder tailors lures to specific institutional contexts and uses geo-fenced payloads to target employees precisely. General phishing training should be supplemented with targeted briefings for personnel in high-risk sectors and regions.
Hunt for in-memory implants: StealerBot operates entirely in memory and does not write to disk in standard form. Endpoint detection solutions must include memory scanning and behavioral analysis. Disk-based AV alone will not detect the implant.
Monitor C2 dynamism and DNS patterns: SideWinder's infrastructure uses dynamic runtime C2 resolution rather than hardcoded addresses. DNS monitoring for unusual subdomain patterns, connections to newly registered domains, and high-frequency domain rotation can surface active campaigns.
Apply patch management for CVE-2025-2783: This vulnerability was documented in 2025-era SideWinder campaign reporting. Verify patch status across affected systems.

analyst note

SideWinder's targeting of India-adjacent entities including Indian diplomatic missions and the apparent use of India-Pakistan conflict lures in 2025 has raised questions about attribution scope. Kaspersky noted the targeting of India as significant given the group's suspected Indian origin. This may reflect operational cover, collection against Indian government insiders, or targeting of foreign embassies on Indian soil rather than Indian government systems directly. Attribution remains assessed, not confirmed.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile