SideWinder Targets South Asian Governments in Sophisticated Cyber Espionage Campaign
A newly uncovered cyber espionage campaign by the threat actor SideWinder has targeted high-level government institutions in Sri Lanka, Bangladesh, and Pakistan, according to researchers at Acronis. The attacks, which align with tactics previously documented by Kaspersky in March 2025, employed spear-phishing emails with geofenced payloads to ensure only victims in specific countries received malicious content.
Among the compromised entities were Bangladesh’s Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan’s Directorate of Indigenous Technical Development; and Sri Lanka’s Department of External Resources, Department of Treasury Operations, Ministry of Defence, and Central Bank. The campaign exploited two long-standing Microsoft Office vulnerabilities CVE-2017-0199 (remote code execution) and CVE-2017-11882 (memory corruption in Equation Editor) to deploy StealerBot, a .NET-based malware.
The attack chain began with malicious documents that triggered CVE-2017-0199, delivering next-stage payloads via DLL side-loading to install StealerBot. A key tactic involved geofencing: if a victim’s IP address did not match the targeted region, an empty RTF file was sent as a decoy. The final payload, an RTF file exploiting CVE-2017-11882, executed a shellcode-based loader to deploy StealerBot, which is designed to steal screenshots, keystrokes, passwords, and files, establish a reverse shell, and drop additional malware.
Acronis researchers noted that SideWinder has maintained consistent operational tempo, reflecting sustained intent and organizational continuity. The group’s precision targeting delivering payloads only to carefully selected victims and often for limited durations underscores its high degree of control over attack execution. The campaign highlights the persistent threat posed by advanced cyber espionage actors to critical government infrastructure in South Asia.
Source: https://thehackernews.com/2025/05/south-asian-ministries-hit-by.html
Ministry of Home Affairs, Bangladesh cybersecurity rating report: https://www.rankiteo.com/company/ministry-of-home-affairs-bangladesh
"id": "MIN1775638175",
"linkid": "ministry-of-home-affairs-bangladesh",
"type": "Cyber Attack",
"date": "3/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Bangladesh',
'name': 'Bangladesh’s Telecommunication Regulatory '
'Commission',
'type': 'Government'},
{'industry': 'Defence',
'location': 'Bangladesh',
'name': 'Bangladesh’s Ministry of Defence',
'type': 'Government'},
{'industry': 'Finance',
'location': 'Bangladesh',
'name': 'Bangladesh’s Ministry of Finance',
'type': 'Government'},
{'industry': 'Defence/Technology',
'location': 'Pakistan',
'name': 'Pakistan’s Directorate of Indigenous '
'Technical Development',
'type': 'Government'},
{'industry': 'Government Administration',
'location': 'Sri Lanka',
'name': 'Sri Lanka’s Department of External Resources',
'type': 'Government'},
{'industry': 'Finance',
'location': 'Sri Lanka',
'name': 'Sri Lanka’s Department of Treasury Operations',
'type': 'Government'},
{'industry': 'Defence',
'location': 'Sri Lanka',
'name': 'Sri Lanka’s Ministry of Defence',
'type': 'Government'},
{'industry': 'Finance/Banking',
'location': 'Sri Lanka',
'name': 'Sri Lanka’s Central Bank',
'type': 'Government'}],
'attack_vector': 'Spear-phishing emails',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Screenshots, keystrokes, '
'passwords, files'},
'description': 'A newly uncovered cyber espionage campaign by the threat '
'actor SideWinder has targeted high-level government '
'institutions in Sri Lanka, Bangladesh, and Pakistan. The '
'attacks employed spear-phishing emails with geofenced '
'payloads to ensure only victims in specific countries '
'received malicious content. The campaign exploited two '
'long-standing Microsoft Office vulnerabilities (CVE-2017-0199 '
'and CVE-2017-11882) to deploy StealerBot, a .NET-based '
'malware designed to steal screenshots, keystrokes, passwords, '
'and files, establish a reverse shell, and drop additional '
'malware.',
'impact': {'data_compromised': 'Screenshots, keystrokes, passwords, files'},
'initial_access_broker': {'backdoors_established': 'DLL side-loading',
'entry_point': 'Spear-phishing emails',
'high_value_targets': 'Government institutions'},
'motivation': 'Espionage',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
'Microsoft Office vulnerabilities '
'(CVE-2017-0199, CVE-2017-11882)'},
'references': [{'source': 'Acronis'}, {'source': 'Kaspersky'}],
'threat_actor': 'SideWinder',
'title': 'SideWinder Targets South Asian Governments in Sophisticated Cyber '
'Espionage Campaign',
'type': 'Cyber Espionage',
'vulnerability_exploited': ['CVE-2017-0199', 'CVE-2017-11882']}