Maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa have become the target of an advanced persistent threat (APT) group dubbed SideWinder.
The attacks, observed by Kaspersky in 2024, spread across Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Other targets of interest include nuclear power plants and nuclear energy infrastructure in South Asia and Africa, as well as telecommunication, consulting, IT service companies, real estate agencies, and hotels.
In what appears to be a wider expansion of its victimology footprint, SideWinder has also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The targeting of India is significant as the threat actor was previously suspected to be of Indian origin.
“It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems,” researchers Giampaolo Dedola and Vasily Berdnikov said, describing it as a “highly advanced and dangerous adversary.”
SideWinder was previously the subject of an extensive analysis by the Russian cybersecurity company in October 2024, documenting the threat actor’s use of a modular post-exploitation toolkit called StealerBot to capture a wide range of sensitive information from compromised hosts. The hacking group’s targeting of the maritime sector was also highlighted by BlackBerry in July 2024.
The latest attack chains align with what has been reported before, with the spear-phishing emails acting as a conduit to deliver booby-trapped documents that leveraged a known security vulnerability in Microsoft Office Equation Editor (CVE-2017-11882) in order to activate a multi-stage sequence, which in turn, employs a .NET downloader named ModuleInstaller to ultimately launch StealerBot.
Kaspersky said some of the lure documents are related to nuclear power plants and nuclear energy agencies, while others included content referencing maritime infrastructures and various port authorities.
“They are constantly monitoring detections of their toolset by security solutions,” Kaspersky said. “Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours.”
“If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files.”
