SideWinder APT Caught Spying on India's Neighbor Gov'ts - Dark Reading

Cyberattacks & Data BreachesVulnerabilities & ThreatsThreat IntelligenceCyber RiskNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificSideWinder APT Caught Spying on India's Neighbor Gov'tsA recent spear-phishing campaign against countries in South Asia aligns with broader political tensions in the region.Nate Nelson,Contributing WriterMay 21, 20255 Min ReadSource: David Davis Photoproductions RF via Alamy Stock PhotoA new spear-phishing campaign has emerged against governments and militaries in South Asia, including in Bangladesh, Nepal, Pakistan, and Sri Lanka.Researchers from Acronis have attributed the activity to SideWinder (aka Razor Tiger), an espionage group first discovered in 2018 but dates back to around 2012. It's generally believed to be an entity of the Indian state, which would make sense in this case, seeing how organizations affected by this latest campaign all belong to countries surrounding India — plus a few unknown cases — with India conspicuous by its absence. Discovery of the state-sponsored spear-phishing also makes sense, as India and Pakistan traded drone strikes a few weeks ago in the territory of Kashmir; those skirmishes threatened to erupt into full-blown war between the two countries, which have since agreed to a ceasefire.From a technical standpoint, what stands out in SideWinder's latest work is a juxtaposition between its advanced tactics, techniques, and procedures (TTPs) — multistage loaders, server-side polymorphic malware, and other skullduggery — and the 8-year-old Microsoft Office vulnerabilities integrated into the mix.Related:Chinese APT Targets Indian Banks, Korean Policy Circles"Its operations show a blend of traditional and modern tradecraft: leveraging legacy vulnerabilities for reliable initial access, while employing advanced evasion tactics to avoid detection," explains Santiago Pontiroli, lead threat response unit researcher with Acronis. "Its multilayered delivery approach relies on geofencing, context validation, decoy fail-safes, and polymorphic payloads, demonstrating a refined balance of stealth, precision, and adaptability rarely seen outside the most advanced APT groups."South Asian Government PhishingSideWinder began registering or repointing dozens of command-and-control (C2) domains in January, indicating the beginning of its latest campaign.To infect victims with infostealing malware, SideWinder has been forging documents pertaining to official government business in various South Asian countries, or sourcing real documents online, which from their appearance, might otherwise appear to be confidential.Source: AcronisBased on samples uploaded to VirusTotal, at least two high-profile targets of SideWinder phishing emails have been verified: the Central Bank of Sri Lanka and the Sri Lanka Army’s 55th Division Battalion, the country's premiere infantry unit, made up of more than 10,000 troops.Acronis also identified dozens of other organizations that play into this campaign, from Sri Lanka (29), Bangladesh (22), Pakistan (10), and Nepal (5). They include the Ministries of Defence and Finance in Bangladesh, the Departments of External Resources and Treasury Operations in Sri Lanka, and the Cyber Security Department of Pakistan's Naval Headquarters. It's unclear, though, whether these organizations have been victims of attacks or whether their materiel has simply been used to phish the real victims.Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBsPontiroli notes how "the targeting observed in the 2025 campaign appears to align with ongoing regional dynamics in South Asia. The focus on government and defense-related entities in countries like Bangladesh, Pakistan, and Sri Lanka suggests that the threat actors are pursuing intelligence or strategic information tied to regional affairs. While the exact motivations remain unconfirmed, the timing and nature of the targets indicate a possible connection to broader geopolitical developments."Exploiting 2017 Microsoft Office Bugs in 2025Opening an infected email attachment triggers the exploitation of CVE-2017-0199, a Microsoft Office vulnerability so old that its record in the National Vulnerability Database is "not being prioritized for NVD enrichment efforts due to resource or other concerns." The flaw lies in how outdated Office software handles certain embedded objects in a file, allowing SideWinder to trigger an intrusion chain in a targeted system.Related:Fraud Rockets Higher in Mobile-First Latin AmericaThe intrusion chain will only bear out if a victim meets the exact profile SideWinder is looking for. Their IP address, geolocation, and certain HTTP headers will be vetted, and only if all these checks are passed will they receive a malicious Rich Text Format (RTF) file. This file will exploit a second Microsoft Office vulnerability, CVE-2017-11882, a memory corruption issue that enables remote code execution (RCE). Like CVE-2017-0199, CVE-2017-11882 is 8 years old now, and both have "high" 7.8 out of 10 ratings in the Common Vulnerability Scoring System (CVSS) Version 3.x metric.Such rusty vulnerabilities still prove useful in 2025, Pontiroli says, because so many organizations remain so massively underpatched. And from an attacker's perspective, "older exploits are well-tested, stable, and often come with publicly available proof-of-concept code that is frequently integrated into widely used frameworks like Metasploit or Cobalt Strike, making them low-cost and low-effort to deploy. Unlike newer zero-days, which are expensive to develop and carry a higher risk of detection or attribution, older CVEs offer a strategic advantage: they preserve operational security and reduce the likelihood of burning advanced tools," he explains.He also points to other, recent campaigns "by groups like APT28 and APT36, which have repeatedly leveraged legacy Office vulnerabilities in phishing operations, as well as by ransomware operators who still scan for long-patched but unaddressed issues like EternalBlue."At the end of this infection chain lies "StealerBot," a .NET-based modular espionage kit that executes in-memory. StealerBot's many functions include the ability to steal passwords from browsers, phish Windows credentials, and escalate attacker privileges in a targeted system."While it may not use the most advanced or newly discovered exploits like some other APT groups, SideWinder's careful use of older, reliable vulnerabilities combined with a flexible and consistently maintained tool set shows that this actor prioritizes effectiveness, stealth, and long-term success over showy or overly complex techniques," Pontiroli says.Don't miss the latest Dark Reading Confidential podcast, The Day I Found an APT Group in the Most Unlikely Place, where threat hunters Ismael Valenzuela and Vitor Ventura share stories about the tricks they used to track down advanced persistent threats and the surprises they discovered along the way. Listen now!Read more about:DR Global Asia PacificAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsCISO Survey 2026: The State of Incident Response ReadinessAI SOC for MDR: The Structural Evolution of Managed Detection and ResponseHow Enterprises Are Developing Secure Applications2026 CISO AI Risk ReportQKS AI Maturity MatrixAccess More ResearchWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningZero Trust Architecture for Cloud environments: Implementation RoadmapTips for Managing Cloud Security in a Hybrid Environment?Security in the AI AgeIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpMore WebinarsYou May Also LikeCyberattacks & Data BreachesCritical Fortinet Flaws Under Active Attackby Jai Vijayan, Contributing WriterDec 17, 2025Cybersecurity AnalyticsIn Cybersecurity, Claude Leaves Other LLMs in the Dustby Nate Nelson, Contributing WriterDec 17, 2025Application SecuritySelf-Replicating 'Shai-hulud' Worm Targets NPM Packagesby Alexander CulafiSep 16, 2025Cybersecurity OperationsWomen Who 'Hacked the Status Quo' Aim to Inspire Security Careersby Elizabeth Montalbano, Contributing WriterJul 16, 2025Editor's ChoiceVulnerabilities & ThreatsEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesbyRob WrightApr 14, 20268 Min ReadСloud SecurityCSA: CISOs Should Prepare for Post-Mythos Exploit StormCSA: CISOs Should Prepare for Post-Mythos Exploit StormbyAlexander CulafiApr 13, 20266 Min ReadСloud SecurityNavigating the Unique Security Risks of Asia's Digital Supply ChainNavigating the Unique Security Risks of Asia's Digital Supply ChainbyAlexander CulafiApr 15, 20263 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTSecurity in the AI AgeTues, April 28, 2026 at 1pm ESTIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpWed, May 6,2026 at 1pm ESTMore WebinarsWhite PapersHow Sunrun Transformed Security Operations with AiStrikeAutonomous Pentesting at Machine Speed, Without False PositivesBest practices for incident response planningBuilding a Robust SOC in a Post-AI WorldIndustry Report: AI, SOC, and Modernizing CybersecurityExplore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space