SideWinder Espionage Campaign Expands Across Southeast Asia - Dark Reading

Threat IntelligenceCyber RiskCybersecurity OperationsVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificSideWinder Espionage Campaign Expands Across Southeast AsiaThe suspected India-linked threat group targets governments, telecom, and critical infrastructure using spear-phishing, old vulnerabilities, and rapidly rotating infrastructure to maintain persistent access.Robert Lemos,Contributing WriterMarch 18, 20264 Min ReadSource: Chantelle Bosch via ShutterstockRecent cyber-espionage activity attributed to the SideWinder threat group suggests that the India-linked operation has expanded across Southeast Asia, including Indonesia and Thailand, while continuing to rely on phishing, credential theft, and infrastructure churn to avoid detection.The group often uses a government-audit themed phishing attack to convince employees to open a link, and has consistently reused certain techniques — such as staged execution and frequent domain changes — allowing SideWinder to shift geographic targets without altering its core malware toolkit, researchers with cybersecurity services firm ITSEC Group stated in a report released this week. The group, which the researchers also referred to as RagaSerpent, started targeting Thailand in late 2025 and Indonesia earlier this year, the report stated.That mix of simple intrusion methods and disciplined long-term access is typical of modern espionage campaigns, said Patrick Dannacher, president director of ITSEC Asia.Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers"The espionage actors operating in this environment are not here for a quick payoff," he says. "They are here for sustained access to government institutions, telecommunications networks, and strategic economic sectors."Active since 2012, the SideWinder APT group has typically focused on South Asian governments, such as those of Bangladesh, Nepal, Pakistan, and Sri Lanka, as well as military organizations and diplomatic entities across South and Southeast Asia, the group has more recently broadened its focus to include maritime infrastructure, logistics companies, and a nuclear sector, says Vasily Berdnikov, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).While Kaspersky's policy is not to attribute any threat group to a particular nation-state, SideWinder has moved beyond South Asia to compromise targets in other regions, he says."They have expanded operations into Africa, Europe, and the Middle East, demonstrating the ambition to go beyond one region," Berdnikov says.Easy Entry Points, Post-Compromise PersistenceDespite its decade-plus experience as an espionage actor, the SideWinder group's initial intrusion techniques are not especially complex, say researchers. The group continues to rely heavily on spear-phishing, stolen credentials, and exploitation of long-patched vulnerabilities to gain access to targeted networks.The group frequently uses known Microsoft Office flaws and DLL hijacking to establish a foothold, says Berdnikov."SideWinder has been using the same tactics and techniques for years," he says. "These primarily involve spear-phishing and exploiting long-patched MS Office vulnerabilities. ... The group's primary method for establishing and launching malware is through DLL hijacking."Related:Iran Hacktivists Make Noise but Have Little Impact on WarWhat makes the threat actor more difficult to contain, however, is not how it gains access, but its post-exploitation activities. SideWinder has built a repeatable workflow around a staged payload delivery, persistence built on top of Windows services, and rapid changes to command-and-control (C2) infrastructure. The result is that attackers maintain access even after many responders believe they have remediated an attack.One of the more unusual behaviors observed in recent campaigns involves the malware deriving configuration data — primarily, the C2 server address — dynamically at runtime rather than embedding it directly in the binary, making it easier for the group's operators to rotate infrastructure without rebuilding the payload, says Dannacher."The implication of that design choice is significant," he says. "It means the attacker can rotate their entire communications infrastructure simply by renaming a file. No recompilation, no new malware build, no lengthy development cycle."Related:EU Sanctions Companies in China, Iran for CyberattacksThe design makes incident response challenging, because remediation may look complete, but in reality, the attacker can redeploy in a matter of hours, Dannacher says. It also reduces the effectiveness of signature-based detection and allows the same malware to be reused across multiple campaigns, he adds.Long-Term Intelligence GoalsThe SideWinder threat group's targeting pattern is consistent with an espionage-driven mission rather than financially motivated attacks, researchers say. Recent campaigns show signs of careful operational scoping, including malware configurations that avoid interacting with certain networks, the ITSEC researchers stated. Their conclusion is that the operators are trying to limit collateral impact, while gaining access to specific high-value environments.For defenders, the broader targeting means organizations outside government may still be at risk if they sit inside the same supply chain or within the same communications networks. In addition, pre-positioned threats may not appear for many years, but pose a threat over "a five- or 10-year strategic horizon," says Dannacher."The realistic picture for a large institution is that it is simultaneously of interest to multiple state-aligned actors with different objectives," he says. "Designing your security posture to account for that complexity is not paranoia. It is accuracy."Companies need to expand beyond indicators of compromise-focused defenses and look for ways of repeatedly blocking the group's tactics, techniques, and procedures (TTPs), ITSEC Asia stated in the report.While financially motivated attackers are the most common in the region, the same techniques are being reused across different threat groups and that convergence increases risk, Dannacher says."What we are seeing in Indonesia right now is not a landscape with a single dominant threat category — it is a convergence, and that convergence is what makes it genuinely difficult to defend against," he says. "The boundaries that used to separate cybercrime from hacktivism from state-sponsored intrusion have largely dissolved at the operational level."Read more about:DR Global Asia PacificAbout the AuthorRobert LemosContributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsCISO Survey 2026: The State of Incident Response ReadinessAI SOC for MDR: The Structural Evolution of Managed Detection and ResponseHow Enterprises Are Developing Secure ApplicationsKuppingerCole Business Application Risk Management Leadership Compass2026 CISO AI Risk ReportAccess More ResearchWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningZero Trust Architecture for Cloud environments: Implementation RoadmapTips for Managing Cloud Security in a Hybrid Environment?Security in the AI AgeIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpMore WebinarsYou May Also LikeThreat IntelligenceHackers Target Cybersecurity Firm Outpost24 in 7-Stage Phishby Jai VijayanMar 17, 2026Threat IntelligenceReact2Shell Exploits Flood the Internet as Attacks Continueby Rob WrightDec 12, 2025Threat IntelligenceIran Exploits Cyber Domain to Aid Kinetic Strikesby Robert Lemos, Contributing WriterNov 26, 2025Cyberattacks & Data BreachesDeepSeek Breach Opens Floodgates to Dark Webby Emma ZaballosApr 22, 2025Editor's ChoiceVulnerabilities & ThreatsEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesbyRob WrightApr 14, 20268 Min ReadСloud SecurityCSA: CISOs Should Prepare for Post-Mythos Exploit StormCSA: CISOs Should Prepare for Post-Mythos Exploit StormbyAlexander CulafiApr 13, 20266 Min ReadСloud SecurityNavigating the Unique Security Risks of Asia's Digital Supply ChainNavigating the Unique Security Risks of Asia's Digital Supply ChainbyAlexander CulafiApr 15, 20263 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTSecurity in the AI AgeTues, April 28, 2026 at 1pm ESTIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpWed, May 6,2026 at 1pm ESTMore WebinarsWhite PapersHow Sunrun Transformed Security Operations with AiStrikeAutonomous Pentesting at Machine Speed, Without False PositivesBest practices for incident response planningBuilding a Robust SOC in a Post-AI WorldIndustry Report: AI, SOC, and Modernizing CybersecurityExplore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space