Stealth APT: SideWinder Uses PDF Exploit to Target South Asian Diplomats
The September attack on the embassy of a European nation in New Delhi has exposed the scale of an extensive espionage operation targeting diplomatic missions across several South Asian countries. Experts at Trellix have attributed the activity to the SideWinder group, long known for its operations in the region. This latest phase of the campaign marked a shift in tactics: in addition to the familiar malicious Word documents, the attackers began deploying PDF files embedded with a ClickOnce-based payload delivery mechanism.
The phishing campaign unfolded in multiple waves between March and September 2025. The first wave targeted institutions in Bangladesh, where recipients were lured with what appeared to be official documents related to the Hajj pilgrimage, accompanied by a prompt to install the latest version of Adobe Reader to view the content.
The malicious download links were disguised as government-style websites designed to mimic legitimate national portals. During the second phase, which lasted until August, the focus shifted toward Pakistani diplomats. Here, the fake Adobe Reader installer was supplemented by a Word document exploiting CVE-2017-0199. These documents imitated official correspondence concerning military and governmental appointments.
By summer and early autumn, the attacks had expanded to Sri Lanka and later returned to India, where diplomatic missions were targeted using counterfeit files themed around intergovernmental meetings, official convoys, and analyses of the India–Pakistan conflict. The technical centerpiece of the attack was a PDF file displaying seemingly blank content alongside a prompt to “install Adobe Reader.” Clicking the button initiated the download of a ClickOnce application from the attackers’ servers.
These applications were signed with a valid MagTek Inc. certificate, allowing them to bypass Windows security warnings. Rather than delivering an outright malicious binary, the attackers subtly injected a DLL library into a legitimate MagTek application. The library, DEVOBJ.dll, decrypted and launched the next stage of the intrusion — a .NET loader (App.dll) — which subsequently fetched the primary payload, known as ModuleInstaller.
ModuleInstaller performed reconnaissance on the compromised system before retrieving several additional files: auxiliary libraries, encrypted objects, and a main executable named TapiUnattend.exe. This executable was used to side-load yet another DLL, wdscore.dll, which contained the core espionage functionality.
The final stage of the infection chain was StealerBot — a modular component capable of expansion through plugins, including the IPHelper module used for traffic proxying. All command-and-control communications were conducted over HTTPS, employing geo-blocking to restrict access to malicious components based on geographic location.
The attackers also relied on dynamically generated URLs and time-limited availability for payloads, rendering re-analysis nearly impossible once samples had expired. Most domains went offline within days, and nearly every payload was compiled uniquely for each recipient, eliminating the possibility of using standardized indicators of compromise.
Attribution of this operation to SideWinder rests on a confluence of factors: the familiar regional focus on South Asia, recurring phishing themes, the use of signature malicious tools, and the reappearance of infrastructure linked to previous incidents. Domains historically tied to the group resurfaced during the investigation, and the combination of PDF lures, layered loaders, and espionage modules closely mirrors SideWinder’s past campaigns.
According to researchers, this operation demonstrates meticulous preparation and sophisticated concealment techniques. The use of legitimate signed applications, geographic filtering, and constantly shifting infrastructure underscores that SideWinder continues to refine its arsenal and sharpen its tradecraft, deliberately targeting the governmental institutions of the South Asian region.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
