Acronis Threat Research Unit (TRU) has unveiled a sophisticated cyber-espionage campaign by the SideWinder advanced persistent threat (APT) group, targeting high-profile government institutions across Sri Lanka, Bangladesh, and Pakistan.
The attackers leverage spear-phishing emails containing malicious Microsoft Office documents that exploit long-known but still potent vulnerabilities CVE-2017-0199 and CVE-2017-11882 to achieve initial infection.
By employing geofencing techniques, SideWinder ensures payload delivery is restricted to intended geographic targets, drastically reducing exposure and detection risks outside the region.
Multistage Payload Delivery
The attack chain begins when a target opens a weaponized Word or RTF document embedded with exploits for either CVE-2017-0199, which allows remote template loading, or CVE-2017-11882, a memory corruption flaw in the legacy Equation Editor.
Upon exploitation, the document silently downloads a uniquely generated RTF payload via a filtered User-Agent header request, initiating the second infection stage.
Unlike previous campaigns relying on mshta.exe executions, this latest operation replaces that step with shellcode-based loaders that dynamically resolve Windows API functions at runtime.
According to the Acronis Report, the shellcode performs sandbox evasion checks such as assessing RAM size and detecting analysis-related DLLs before downloading encoded payloads from attacker-controlled infrastructure.
Obfuscation methods, including XOR encoding of critical strings and URLs, are extensively used to evade signature-based detection.
The shellcode also injects a portable executable (PE) into a legitimate process (explorer.exe) to execute in-memory, thereby limiting forensic footprints.
The final payload delivered is StealerBot, a credential-stealing malware that leverages DLL sideloading via a compromised legitimate executable, TapiUnattend.exe, to establish persistent access and exfiltrate sensitive data.
The attackers create LNK files in startup folders for persistence, while rapidly cycling command-and-control (C2) domains to avoid takedown.
Targeted Institutions and Operational Maturity
Confirmed victims include Sri Lanka’s Central Bank, the elite 55th Division Battalion of the Sri Lanka Army, and various defense and government agencies in Bangladesh and Pakistan.
The attackers use tailored, official-looking lure documents such as false publications and monetary policy briefs customized to each target’s interests.
The long-lived campaign showcases SideWinder’s operational continuity and refinement: despite relying on patched vulnerabilities disclosed in 2017, many organizations remain vulnerable due to outdated software deployments and insufficient patch management.
SideWinder’s infrastructure exhibited bursts of domain registrations and repointing in early 2025, indicating phases of active operation and infrastructure rotation.
The use of server-side polymorphism, geofenced payload delivery, and layered obfuscations reflect a high level of sophistication designed to bypass traditional detection tools and thwart incident response efforts.
Acronis Cyber Protect Cloud actively detects and blocks these threats. Organizations are advised to:
- Disable macros and external content loading in Microsoft Office to prevent remote template retrieval.
- Block or restrict execution of commonly abused binaries such as mshta.exe, wscript.exe, and powershell.exe.
- Deploy behavioral analytics and endpoint detection to monitor for suspicious child process creation, in-memory shellcode, and DLL sideloading.
- Enforce network filtering to block communication with known SideWinder C2 domains.
- Maintain up-to-date patches, particularly for legacy Office vulnerabilities.
- Provide end-user training to recognize spear-phishing attacks leveraging official-themed documents.
Indicators of Compromise (IOCs)
| IOC Type | Indicator | Description |
|---|---|---|
| Malicious Documents (SHA256) | 725ded50e7f517addd12f029aeaf9a23f2b9ce6239b98820c8a12ea5cb79dbfa | Spear-phishing Word/RTF files exploiting CVE-2017-0199 and CVE-2017-11882 |
| 57b9744b30903c7741e9966882815e1467be1115cbd6798ad4bfb3d334d3523d | ||
| … (List continues, total 49 samples) | ||
| Final Payload (StealerBot) SHA256 | c62e365a6a60e0db4c2afd497464accdb783c336b116a5bc7806a4c47b539cc5 | Credential stealer malware delivered via DLL sideloading |
| Supporting files (MD5) | b574abf43dcc57a359129d1adb4cdda0 (TapiUnattend.exe) | Legitimate executable abused for DLL sideloading |
| b37522b69406b3f6229b7f3bbef0a293 (wdscore.dll) | Malicious DLL loader | |
| 9e3aaa68e88a604a7aba9cf83b49de6e (HBG6XFRE.JZS7) | Encoded StealerBot payload | |
| 12a891501e271d32802495af88cfa247 (IpHelper.dll) | Helper module | |
| Command and Control Domains | army-govbd[.]info, updates-installer[.]store, dwnlld[.]com, bismi[.]pro, etc. | Frequently rotated infrastructure used for payload delivery and exfiltration |
| Malicious URLs | hxxps://advisory.army-govbd.info/ISPR/d81b2d23/Accept_EULA.rtf | URL hosting malicious RTF payload |
| hxxps://advisory.army-govbd.info/ISPR/7201a146 | Next stage shellcode payload URL |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20group.){kind=link}