The SideWinder threat group has launched a new cyber espionage campaign beginning in September 2025, targeting South Asian diplomats and a European embassy in New Delhi. This campaign marks a significant evolution in SideWinder's tactics, techniques, and procedures (TTPs) by leveraging a novel infection chain that combines malicious PDF files and ClickOnce technology. Attackers send spear-phishing emails containing either PDF or Microsoft Word documents with enticing titles related to geopolitical topics. The PDFs contain a deceptive button urging victims to download the latest Adobe Reader version, which actually triggers the download of a legitimate ClickOnce application (ReaderConfiguration.exe from MagTek Inc.) signed with a valid certificate to evade detection. This application sideloads a malicious DLL (DEVOBJ.dll) that decrypts and launches a .NET loader named ModuleInstaller. ModuleInstaller profiles the infected system and subsequently deploys StealerBot, a sophisticated .NET implant capable of launching reverse shells, delivering additional malware, and exfiltrating sensitive data such as screenshots, keystrokes, passwords, and files. The malware communication with command-and-control servers is region-locked to South Asia, and the payload download paths are dynamically generated, complicating forensic analysis. This campaign is a continuation of SideWinder's previous operations documented since 2024, showing their adaptability and focus on diplomatic and governmental targets in South Asia. The use of legitimate signed binaries for side-loading and multi-stage infection chains highlights the advanced evasion techniques employed. The campaign's focus on high-value diplomatic targets, including a European embassy, underscores the geopolitical motivations behind the espionage activities.

For European organizations, especially diplomatic missions and governmental entities with presence or interests in South Asia, this threat poses a significant risk of espionage and data compromise. The malware's capabilities to steal credentials, capture keystrokes, take screenshots, and establish remote shells could lead to the exposure of sensitive diplomatic communications and strategic information. The use of sophisticated evasion techniques and region-locked command-and-control infrastructure complicates detection and response efforts. This could undermine diplomatic confidentiality, damage trust, and potentially influence geopolitical relations. Additionally, the campaign's targeted nature means that affected European entities may face prolonged and stealthy intrusions, increasing the risk of long-term data exfiltration and operational disruption. The medium severity rating reflects the targeted scope but significant impact on confidentiality and integrity of sensitive information.

European diplomatic and governmental organizations should implement targeted defenses against this threat vector. Specifically, they should: 1) Enforce strict email filtering and phishing detection focused on spear-phishing campaigns using geopolitical lures, including blocking or quarantining emails with suspicious PDF or Word attachments. 2) Disable or tightly control ClickOnce application execution via group policies or application whitelisting to prevent unauthorized side-loading of malicious DLLs. 3) Employ endpoint detection and response (EDR) solutions capable of detecting anomalous DLL sideloading and .NET loader behaviors. 4) Conduct user awareness training emphasizing the risks of downloading software prompted by documents and verifying digital signatures. 5) Monitor network traffic for connections to suspicious or region-locked command-and-control domains, especially those dynamically generated or related to South Asia. 6) Implement multi-factor authentication and credential monitoring to mitigate stolen credential misuse. 7) Regularly update and patch Microsoft Office and Adobe Reader to reduce exploitability of known vulnerabilities. 8) Perform threat hunting for indicators of compromise related to ModuleInstaller and StealerBot malware families. These measures go beyond generic advice by focusing on the unique infection chain and malware behaviors observed in this campaign.