SideWinder, an advanced persistent threat (APT) group, has been targeting maritime and logistics companies across South and Southeast Asia, the Middle East, and Africa. The attacks, observed by Kaspersky in 2024, have affected countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. The group has also expanded its focus to nuclear power plants and nuclear energy infrastructure in South Asia and Africa. In addition to maritime and logistics companies, other sectors such as telecommunications, IT service firms, real estate agencies, and hotels have also been affected by these cyberattacks. The widespread nature of these attacks underscores the group’s strategic targeting of critical infrastructure and businesses in key regions.
Recently, SideWinder has expanded its victimology footprint to include diplomatic entities in various countries, including Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The group’s activities targeting India are particularly noteworthy, as it had previously been suspected to be of Indian origin. The group’s ability to target such a wide range of organizations, from government entities to private-sector companies, highlights its diverse and strategic objectives. Researchers from Kaspersky noted that SideWinder is a highly advanced and dangerous adversary that continuously adapts its tactics and improves its toolsets to evade detection and remain persistent within compromised networks.
SideWinder’s attack methods are sophisticated, beginning with spear-phishing emails designed to deliver malicious documents to their targets.
These documents often exploit known vulnerabilities in Microsoft Office Equation Editor, specifically CVE-2017-11882, to trigger a multi-stage attack sequence. The sequence uses a .NET downloader named ModuleInstaller to deploy the StealerBot toolkit, which captures sensitive information from compromised hosts. Some of the lure documents used in these campaigns are specifically related to nuclear power plants, nuclear energy agencies, and maritime infrastructure, including port authorities.
This specialized targeting suggests that SideWinder has a clear focus on sectors critical to national security and international trade.
Kaspersky researchers have observed that SideWinder continuously monitors its toolset for any detection by security solutions and responds quickly by modifying its malware. If a particular tool or technique is identified, the group generates new versions of the malware within hours, allowing them to maintain their operations without disruption. Additionally, if behavioral detections occur, SideWinder adapts by altering its techniques to maintain persistence on compromised systems. They frequently change the names and paths of their malicious files to evade detection. This constant adaptation makes SideWinder one of the most persistent and evasive APT groups, capable of continuing its cyberattacks for long periods without being noticed.
