HQ/EMEAFind out how we can help your business
The notorious SideWinder APT group has targeted various industries from multiple countries, such as the maritime and transportation sectors.
Based on reports, this advanced persistent threat group has targeted the said industries in regions such as the Middle East, parts of Africa, and South and Southeast Asia.
Separate research also showed that since last year, there were observed attacks in countries such as Vietnam, the UAE, Egypt, Djibouti, Cambodia, and Bangladesh.
On the other hand, the other potential targeted industries include nuclear power plants and energy infrastructure in South Asia and Africa, as well as telecommunications, consulting, IT service firms, real estate agencies, and hotels.
The SideWinder APT group have also expanded its attack scope by attacking more targets in more territories.
According to investigations, the SideWinder APT group seems to have widened its attack scope by targeting diplomatic bodies in countries like China, India, Rwanda, Afghanistan, Algeria, Bulgaria, Rwanda, Saudi Arabia, Turkey, and Uganda.
In addition, targeting India is critical since researchers suspect that the threat actor originated in the country.
SideWinder had previously been the target of detailed research by a cybersecurity organisation in October 2024, which documented the threat actor’s usage of a modular post-exploitation toolset known as StealerBot to steal data from compromised hosts.
Furthermore, the latest attack chains of this threat group are consistent with previous reports, with spear-phishing emails serving as the primary vector for delivering malicious documents that exploit a known security vulnerability in Microsoft Office Equation Editor (CVE-2017-11882) to activate a multi-stage sequence that eventually launches StealerBot via a.NET downloader named ModuleInstaller.
The researchers noted that some of the baits that the group uses are related to nuclear power plants and atomic energy agencies, while others contain content about marine infrastructure and various port administrations.
SideWinder continually attempts to improve its toolsets, keep ahead of security software detections, increase persistence on compromised networks, and hide its existence on infected systems.
This APT commonly create a new and modified version of the malware when researchers recognise their tools. Experts expect that this group will persist as long as they can change their attack strategy and toolset after a substantial discovery about them appears.
