SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa - The Hacker News

SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa Ravie LakshmananMar 11, 2025Cyber Espionage / Maritime Security Maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa have become the target of an advanced persistent threat (APT) group dubbed SideWinder. The attacks, observed by Kaspersky in 2024, spread across Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Other targets of interest include nuclear power plants and nuclear energy infrastructure in South Asia and Africa, as well as telecommunication, consulting, IT service companies, real estate agencies, and hotels. In what appears to be a wider expansion of its victimology footprint, SideWinder has also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The targeting of India is significant as the threat actor was previously suspected to be of Indian origin. "It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems," researchers Giampaolo Dedola and Vasily Berdnikov said, describing it as a "highly advanced and dangerous adversary." SideWinder was previously the subject of an extensive analysis by the Russian cybersecurity company in October 2024, documenting the threat actor's use of a modular post-exploitation toolkit called StealerBot to capture a wide range of sensitive information from compromised hosts. The hacking group's targeting of the maritime sector was also highlighted by BlackBerry in July 2024. The latest attack chains align with what has been reported before, with the spear-phishing emails acting as a conduit to deliver booby-trapped documents that leverage a known security vulnerability in Microsoft Office Equation Editor (CVE-2017-11882) in order to activate a multi-stage sequence, which in turn, employs a .NET downloader named ModuleInstaller to ultimately launch StealerBot. Kaspersky said some of the lure documents are related to nuclear power plants and nuclear energy agencies, while others included content referencing maritime infrastructures and various port authorities. "They are constantly monitoring detections of their toolset by security solutions," Kaspersky said. "Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours." "If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, IT security, Malware, Maritime Security, Microsoft office, Nuclear Security, Phishing, Threat Intelligence Trending News New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths