433/68 Thursday, October 30, 2025
Researchers at Trellix revealed that the SideWinder threat group developed a new infection technique that uses PDF files and a ClickOnce-based infection chain instead of the group’s prior Word-document methods. The campaign, active between March and September 2025, targeted European embassies in India as well as organizations in Sri Lanka, Pakistan, and Bangladesh.
The spear-phishing emails carried fake PDF/Word attachments with names such as “Inter-ministerial meeting Credentials.pdf” or “India-Pakistan Conflict – Strategic and Tactical Analysis.docx.” When victims open the PDF, they are tricked into “installing the latest Adobe Reader,” but instead the PDF initiates a ClickOnce deployment from a malicious server to sideload a DLL (DEVOBJ.dll) and install a ModuleInstaller component that downloads and runs StealerBot.
The attackers abused a legitimate, digitally signed ClickOnce application (ReaderConfiguration.exe) from MagTek Inc. as a decoy, helping the payload evade detection. The malicious DLL loads ModuleInstaller, which installs the main implant StealerBot-a payload capable of stealing keystrokes, passwords, files, and screenshots, opening a reverse shell, and fetching additional malware. Researchers say this campaign demonstrates SideWinder’s growing sophistication and adaptability in espionage operations targeting diplomatic entities, aiming to collect strategic intelligence in the South Asia region.
Source https://thehackernews.com/2025/10/sidewinder-adopts-new-clickonce-based.html
