An advanced persistent threat (APT) group known as SideWinder has broadened its cyberattack campaign to target maritime and logistics companies across South and Southeast Asia, the Middle East, and Africa, according to recent findings by Kaspersky.
The 2024 attacks have affected organizations in Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. SideWinder has also shown particular interest in nuclear power plants and energy infrastructure throughout South Asia and Africa, while simultaneously targeting telecommunications, consulting, IT services, real estate, and hospitality sectors.
In a significant expansion of its target profile, the group has now compromised diplomatic entities in multiple countries including Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The inclusion of Indian targets is particularly noteworthy, as SideWinder was previously suspected to have Indian origins.
“SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems,” noted researchers Giampaolo Dedola and Vasily Berdnikov, who describe the group as a “highly advanced and dangerous adversary.”
The attack methodology remains consistent with previous campaigns, utilizing spear-phishing emails containing malicious documents that exploit the Microsoft Office Equation Editor vulnerability (CVE-2017-11882). This triggers a multi-stage attack sequence employing a .NET downloader called ModuleInstaller to deploy the group’s modular post-exploitation toolkit, StealerBot, which captures sensitive information from compromised systems.
Kaspersky researchers observed that SideWinder demonstrates remarkable adaptability, often generating modified malware versions within five hours of detection. When behavioral detection occurs, the group quickly alters its persistence techniques and component loading methods, while also changing file names and paths to evade security solutions.