SideWinder Hacking Group Uses ClickOnce-Based Infection Chain to Deploy StealerBot Malware

SideWinder Hacking Group Uses ClickOnce-Based Infection Chain to Deploy StealerBot Malware

The SideWinder advanced persistent threat group has emerged with a sophisticated new attack methodology that leverages ClickOnce applications to deploy StealerBot malware against diplomatic and governmental targets across South Asia.

In September 2025, security researchers detected a targeted campaign affecting institutions in Sri Lanka, Pakistan, Bangladesh, and diplomatic missions based in India.

The attacks represent a notable evolution in the threat actor’s tradecraft, moving beyond traditional Microsoft Word-based exploits to embrace a more complex PDF and ClickOnce infection chain designed to circumvent modern security controls.

The campaign unfolded through multiple waves of spear-phishing emails, each carefully crafted with region-specific themes to manipulate victims into executing malicious payloads.

Attack lures included documents titled “Inter-ministerial meeting Credentials.pdf” and “Relieving order New Delhi.pdf,” which prompted targets to download what appeared to be an updated version of Adobe Reader.

When victims clicked the embedded button, they unknowingly initiated a ClickOnce application download from attacker-controlled infrastructure.

google

These applications bore valid digital signatures from MagTek Inc., not through certificate theft but via DLL side-loading of legitimate MagTek binaries—a technique that allowed the malware to bypass Windows security warnings and execute without raising immediate suspicion.

Trellix analysts identified the malware’s sophisticated evasion mechanisms after detecting the fourth wave of attacks through their SecondSight hunting capabilities on Trellix Email Security.

The researchers noted that SideWinder implemented advanced operational security measures including geofencing, which restricted payload delivery to IP addresses originating from targeted regions.

This geographic restriction prevented security researchers outside South Asia from accessing live malware samples, significantly complicating analysis efforts.

Additionally, the threat actors employed dynamically generated URLs with random numeric components and time-limited payload availability, ensuring that malicious components remained accessible only during narrow windows immediately following initial compromise.

The technical sophistication extends to the malware’s persistence and execution mechanisms.

Once the ClickOnce application executes, it drops DEVOBJ.dll alongside an encrypted payload file with randomized extensions such as .ns5 or .1ym.

The DLL performs XOR decryption using the first 42 bytes of the encrypted file as the key, revealing a .NET loader (App.dll) that downloads ModuleInstaller from the command-and-control server.

ModuleInstaller then profiles the compromised system and retrieves configuration files, including TapiUnattend.exe—a legitimate Windows binary—and wdscore.dll, which side-loads to execute the final-stage StealerBot malware.

The malware demonstrates adaptive behavior by detecting installed antivirus products and adjusting its execution path accordingly, using mshta.exe for Avast or AVG detections and pcalua.exe when Kaspersky is present.

ClickOnce Application Structure and DLL Side-Loading

The infection chain’s core strength lies in its abuse of ClickOnce’s trusted application deployment framework.

SideWinder weaponized legitimate MagTek Reader Configuration application (version 1.5.13.2) by preserving its structural integrity while replacing critical components.

SideWinder Hacking Group Uses ClickOnce-Based Infection Chain to Deploy StealerBot Malware
SideWinder’s PDF version execution chain (Source – Trellix)

The attackers substituted the authentic MagTek public key token (7ee65bc326f1c13a) with null values (0000000000000000) in the manifest, maintaining valid certificate chains to evade detection.

The application’s branding was modified from MagTek to “Adobe Compatibility Suite,” complete with an Adobe Reader icon replacement, perfectly aligning with the phishing lure’s premise.



  
    
  

The payload delivery mechanism substituted legitimate JSON configuration files (DeviceImages.json and EmvVendorConfig.json) with malicious DEVOBJ.dll (SHA256: c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6).

This DLL serves as the side-loading vector for subsequent stages. The manifest included useLegacyV2RuntimeActivationPolicy=”true” to enable compatibility with older .NET Framework versions, facilitating execution of legacy malware components.

After execution, a decoy PDF document displays to victims, maintaining the illusion of legitimate document processing while malware establishes persistence and begins data exfiltration operations in the background.

The StealerBot malware represents the campaign’s ultimate objective, designed for comprehensive espionage operations.

While researchers successfully identified the core infection chain components, geofencing restrictions prevented the acquisition of additional plugin modules beyond IPHelper.dll, which manages proxy communications within the malware ecosystem.

The campaign’s infrastructure—spanning domains like mofa-gov-bd[.]filenest[.]live and mod-gov-bd[.]snagdrive[.]com—demonstrates deliberate impersonation of government ministries to enhance social engineering effectiveness.

This combination of technical sophistication and operational security reflects an adversary committed to long-term espionage objectives against strategic regional targets.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.