ClickOnce Deception: SideWinder’s New Path to Diplomats

Summary

The SideWinder threat group—also known as Rattlesnake, Razor Tiger, T-APT-04, APT-C-17, Hardcore Nationalist, and BabyElephant—has launched a highly targeted espionage campaign across South and Southeast Asia, primarily focusing on diplomatic entities in Sri Lanka, Pakistan, Bangladesh, and India.

Discovered in March 2025, this ClickOnce-based attack chain represents a major evolution in SideWinder’s operational techniques, replacing its earlier reliance on Microsoft Word exploits. The campaign uses malicious PDFs and deceptive “Adobe Reader update” prompts that trigger a multi-stage infection chain, delivering custom spyware tools such as ModuleInstaller and StealerBot.

This operation blends social engineering, software impersonation, and geofenced payload delivery to infiltrate diplomatic networks, exfiltrate classified information, and evade detection. The geopolitical themes of the lures—ranging from defense policy and religious affairs to government correspondence—underscore the group’s continued focus on intelligence collection across South Asia.

Attack Details

Campaign Timeline and Scope

Between March and September 2025, SideWinder executed a series of phishing campaigns designed to exploit regional trust and official workflows. The attacks were first detected targeting a European embassy in New Delhi, followed by incidents impacting government and diplomatic bodies in Sri Lanka, Pakistan, and Bangladesh.

Each wave of attacks used locally themed lures to increase credibility:

• Bangladesh: Fraudulent Hajj registration and medical training documents.
• Pakistan: Defense procurement and political appointment notices.
• Sri Lanka: Files mimicking defense personnel transfers and promotion letters.
• India: Documents referencing bilateral conflicts and diplomatic meetings.

Technical Execution

The campaign exploited CVE-2017-0199, a known Microsoft Word vulnerability, in parallel with new PDF-based infection vectors. Victims were enticed to download a fake Adobe Reader update, which silently retrieved a signed ClickOnce application masquerading as legitimate software.

Behind this facade, the application sideloaded a tampered DEVOBJ.dll, initiating a multi-stage payload chain:

1. Stage 1 – Loader: Decrypts embedded resources and executes secondary payloads.
2. Stage 2 – ModuleInstaller: Deploys custom espionage modules.
3. Stage 3 – StealerBot: Collects sensitive files, login credentials, and network metadata.

Operational Security and Stealth

SideWinder demonstrated advanced evasion techniques including:

• Geofenced payloads restricted to specific countries.
• Rapid URL rotation and short-lived download links.
• Spoofed government domains mimicking ministries and embassies.

This meticulous execution suggests strong operational discipline, with each campaign fine-tuned to align with regional political developments.

Recommendations

1. Be Cautious with Attachments and Updates
   Verify the sender before opening PDF or Word attachments, even if they appear official. Avoid clicking on any “Adobe Reader update” prompts originating from document links.
2. Block Fake Software Update Mechanisms
   Disable automatic installation prompts from documents or non-approved sources within the organization’s environment.
3. Patch Legacy Vulnerabilities
   Apply security updates for Microsoft Office and related components to eliminate known flaws such as CVE-2017-0199.
4. Implement Network-Based Restrictions
   Restrict outbound access to unverified or newly registered domains. Use DNS filtering and firewall policies to block potential command-and-control (C2) traffic.
5. Enhance Endpoint Detection and Response (EDR)
   Deploy next-generation antivirus (NGAV) and EDR solutions capable of detecting ClickOnce abuse and DLL sideloading behavior. Employ behavioral analytics and machine learning-based detection for faster anomaly identification.

Indicators of Compromise (IoCs)

SHA256 Hashes:
06da4a5755a81785f68caf75cca2b7a41c3aa9b4af24d2bb93964abf87343869
09b96a2426f8ddcc20aa58a72ad147d410525f1a4a42835b7ece126211537b3b
0f407b9b1cffa88edfe5a439f316dd41eea2fc47ba24a8dd986a6ffe520cb66b
32febd24765e996c8f01f77f02b02af3e35914ea215f98fcf2054a15a5bb0262
341a21538b90c87b40e150967519a695f2c339befde232e2f3cd85caf6885803
… (additional hashes listed in full report)

Domains:
mos-gov-bd[.]snagdrive[.]com
mofa-gov-bd[.]filenest[.]live
www-treasury-gov-lk[.]snagdrive[.]com
pimec-paknavy[.]updates-installer[.]store
hajjtraining2025[.]moragovt[.]net
adobe[.]pdf-downlod[.]com
cabinet-gov-pk[.]dytt888[.]net
hajjmedicalteam[.]adobeglobal[.]com

URLs:
hxxps[:]//adobe[.]pdf-downlod[.]com/updates-b1139620/adobe-reader
hxxps[:]//pubad-gov-lk[.]download-doc[.]net/09c3c5c1/adobe-reader
hxxps[:]//mofa-gov-bd[.]filenest[.]live/48686010/adobe-reader
hxxps[:]//pimec-paknavy[.]updates-installer[.]store/1/7ab8fb0a/adobe-reader
hxxps[:]//hajjmedicalteam[.]adobeglobal[.]com/bangladesh/73439525/adobe-reader

Emails:
ds.plann2@mos[.]gov[.]bd[.]pk-mail[.]org
p2@mofa[.]gov[.]bd[.]pk-mail[.]org
js.admn@pmo[.]gov[.]pk-mail[.]org
asresearch@mofa[.]gov[.]bd[.]pk-mail[.]org

MITRE ATT&CK TTPs

References

• Trellix Research – SideWinder’s Shifting Sands: ClickOnce for Espionage

• Hive Pro – SideWinder’s Silent War: Using Old Exploits on New Targets