South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware - The Hacker News

South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware Ravie LakshmananMay 20, 2025Malware / Cyber Espionage High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder. "The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content," Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas Thevendaran said in a report shared with The Hacker News. The attack chains leverage spear-phishing lures as a starting point to activate the infection process and deploy a known malware referred to as StealerBot. It's worth pointing out that the modus operandi is consistent with recent SideWinder attacks documented by Kaspersky in March 2025. Some of the targets of the campaign, per Acronis, include Bangladesh's Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan's Directorate of Indigenous Technical Development; and Sri Lanka's Department of External Resources, Department of Treasury Operations, Ministry of Defence, and Central Bank. The attacks are characterized by the use of years-old remote code execution flaws in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) as initial vectors to deploy malware capable of maintaining persistent access in government environments across South Asia. The malicious documents, when opened, trigger an exploit for CVE-2017-0199 to deliver next-stage payloads that are responsible for installing StealerBot by means of DLL side-loading techniques. One noteworthy tactic adopted by SideWinder is that the spear-phishing emails are coupled with geofenced payloads to ensure that only victims meeting the targeting criteria are served the malicious content. In the event the victim's IP address does not match, an empty RTF file is sent instead as a decoy. The malicious payload is an RTF file that weaponizes CVE-2017-11882, a memory corruption vulnerability in the Equation Editor, to launch a shellcode-based loader that runs the StealerBot malware. StealerBot, according to Kaspersky, is a .NET implant that's engineered to drop additional malware, launch a reverse shell, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files. "SideWinder has demonstrated consistent activity over time, maintaining a steady pace of operations without prolonged inactivity — a pattern that reflects organizational continuity and sustained intent," the researchers said. "A closer analysis of their tactics, techniques, and procedures (TTPs) reveals a high degree of control and precision, ensuring that malicious payloads are delivered only to carefully selected targets, and often only for a limited time." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, Malware, Microsoft office, South Asia, Spear Phishing, Threat Intelligence Trending News Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Load More ▼ Popular Resources SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment