Security researchers have linked a September 2025 campaign to the threat actor known as SideWinder that targeted a European embassy in New Delhi and multiple organisations in Sri Lanka, Pakistan and Bangladesh. The activity was carried out in multiple spear‑phishing waves between March and September 2025 and aimed to establish persistent access on compromised systems.
Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc published a report last week that documents a shift in the group’s tactics, notably the introduction of a PDF and ClickOnce‑based infection chain alongside previously observed Microsoft Word exploit vectors. The campaigns were carried out in four waves and relied on malicious documents sent by targeted spear‑phishing.
The attacks dropped custom tooling, principally a downloader called ModuleInstaller and a .NET implant dubbed StealerBot. ModuleInstaller retrieves next‑stage payloads, while StealerBot can open a reverse shell, deploy additional malware and harvest screenshots, keystrokes, passwords and files from infected hosts. Those malware families were previously publicly documented in 2024 and 2025 during related operations in the region and beyond.
In the latest incidents observed after Sept. 1, 2025, phishing messages used Microsoft Word and PDF attachments with lures such as “Inter‑ministerial meeting Credentials.pdf” and “India‑Pakistan Conflict -Strategic and Tactical Analysis of the May 2025.docx” and were sent from a domain designed to mimic a defence ministry. The PDF attachments displayed a button urging recipients to install the latest Adobe Reader; activating the button downloaded a ClickOnce application from a remote server and launched a decoy PDF while sideloading a malicious DLL named “DEVOBJ.dll”.
Researchers found the ClickOnce payload was a legitimate MagTek executable, “ReaderConfiguration.exe”, signed with a valid certificate to reduce suspicion. Command‑and‑control requests were region‑restricted to South Asia and the download paths for payloads were dynamically generated, complicating analysis. The sideloaded DLL decrypts and launches the ModuleInstaller loader, which profiles the host and delivers StealerBot for data collection and further actions.
Researchers noted the campaign reflects a continued refinement of tactics to evade security controls, including the use of validly signed binaries for side‑loading and custom malware families to support espionage objectives.