High-level government institutions in Sri Lanka, Bangladesh, and Pakistan have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder.
“The attackers used spear phishing emails paired with geofenced payloads to ensure that only victims in specific countries received the malicious content,” Acronis researchers Santiago Pontiroli, Jozsef Gegeny, and Prakas Thevendaran said in a report shared with The Hacker News.
The attack chains leverage spear-phishing lures as a starting point to activate the infection process and deploy a known malware referred to as StealerBot. It’s worth pointing out that the modus operandi is consistent with recent SideWinder attacks documented by Kaspersky in March 2025.
Some of the targets of the campaign, per Acronis, include Bangladesh’s Telecommunication Regulatory Commission, Ministry of Defence, and Ministry of Finance; Pakistan’s Directorate of Indigenous Technical Development; and Sri Lanka’s Department of External Resources, Department of Treasury Operations, Ministry of Defence, and Central Bank.
The attacks are characterized by the use of years-old remote code execution flaws in Microsoft Office (CVE-2017-0199 and CVE-2017-11882) as initial vectors to deploy malware capable of maintaining persistent access in government environments across South Asia.
The malicious documents, when opened, trigger an exploit for CVE-2017-0199 to deliver next-stage payloads that are responsible for installing StealerBot by means of DLL side-loading techniques.
One noteworthy tactic adopted by SideWinder is that the spear-phishing emails are coupled with geofenced payloads to ensure that only victims meeting the targeting criteria are served the malicious content. In the event the victim’s IP address does not match, an empty RTF file is sent instead as a decoy.
The malicious payload is an RTF file that weaponizes CVE-2017-11882, a memory corruption vulnerability in the Equation Editor, to launch a shellcode-based loader that runs the StealerBot malware.
StealerBot, according to Kaspersky, is a .NET implant that’s engineered to drop additional malware, launch a reverse shell, and collect a wide range of data from compromised hosts, including screenshots, keystrokes, passwords, and files.
“SideWinder has demonstrated consistent activity over time, maintaining a steady pace of operations without prolonged inactivity — a pattern that reflects organizational continuity and sustained intent,” the researchers said.
“A closer analysis of their tactics, techniques, and procedures (TTPs) reveals a high degree of control and precision, ensuring that malicious payloads are delivered only to carefully selected targets, and often only for a limited time.”
