The Acronis Threat Research Unit has uncovered a sophisticated cyber-espionage campaign orchestrated by the SideWinder Advanced Persistent Threat (APT) group, targeting key government and military institutions across South Asia. The latest campaign, which came to light in early 2025, focuses on high-value organizations in Sri Lanka, Bangladesh, and Pakistan, including Sri Lanka’s elite 55 Division of
the Army and the Central Bank of Sri Lanka.
According to Acronis TRU, SideWinder employed spear phishing emails embedded with
malicious Word and RTF attachments that exploit two longstanding Microsoft Office
vulnerabilities, CVE-2017-0199 and CVE-2017-11882. Despite being disclosed and patched
years ago, these vulnerabilities remain effective against organizations running outdated
software. The documents are geofenced to ensure that only recipients in specific countries
activate the malicious payloads, allowing the attackers to evade broad detection systems
and hone in on precise targets.
Once triggered, the campaign utilizes a sophisticated, multi-stage intrusion chain. This
includes shellcode-based loaders, server-side polymorphism for dynamic payload delivery,
and credential-stealing malware known as StealerBot. The malware is designed to extract
login credentials from compromised systems, enabling prolonged and stealthy access. These
techniques mark an evolution in SideWinder’s toolkit, aligning with its past activity but
revealing refinements in execution and targeting strategy.
The selection of targets underscores the campaign’s strategic intent. The Sri Lanka Army’s
55 Division, an elite infantry unit with more than 10,000 troops, has recently bolstered its
focus on cyber resilience, making it an appealing target for espionage. Meanwhile, the
Central Bank of Sri Lanka, responsible for national monetary policy, foreign reserves, and
currency issuance, represents a critical node in the country’s financial infrastructure and
governance.
To increase the likelihood of success, SideWinder tailors phishing emails to appear relevant
to the targeted individuals and often uses fake domains that mimic legitimate organizations.
These domains are regularly refreshed. Notably, Acronis observed a sharp uptick in new
domain registrations used in command-and-control infrastructure in January 2025, with 34
new domains registered or repointed, followed by 24 in February and 10 in April, indicating
cycles of preparation and renewed operational focus.
Acronis TRU urges organizations in the public sector, particularly those in South Asia, to
immediately patch vulnerabilities CVE-2017-0199 and CVE-2017-11882, audit infrastructure
for signs of shellcode-based loaders, and deploy advanced threat detection capable of
identifying polymorphic and geofenced payloads.
The Acronis Threat Research Unit remains committed to identifying, analyzing, and exposing
advanced cyber threats globally. Through timely intelligence and detailed technical analysis,
TRU aims to support governments and organizations in securing their critical digital assets.
