In a sophisticated campaign targeting high-level government institutions across South Asia, the SideWinder Advanced Persistent Threat (APT) group has been leveraging years-old Microsoft Office vulnerabilities to deliver malware while evading detection.
The threat actors are specifically targeting organizations in Sri Lanka, Bangladesh, and Pakistan, using carefully crafted spear-phishing emails with geofenced payloads to ensure only intended victims in specific countries receive the malicious content.
Despite being patched years ago, vulnerabilities CVE-2017-0199 and CVE-2017-11882 remain effective weapons in SideWinder’s arsenal, allowing remote code execution through specially crafted Word and RTF documents.
.png
)
This campaign demonstrates how threat actors can successfully exploit outdated software configurations that remain prevalent in government and defense organizations.
Acronis Threat Research Unit (TRU) researchers identified this ongoing campaign in early 2025, noting that it exemplifies SideWinder’s continuous refinement of their tradecraft.
“Mark Twain is often reputed to have said ‘History doesn’t repeat itself, but it often rhymes,’ and in the case of this threat actor, we see the continuous usage of proven and simple, yet effective techniques,” the researchers explained.
The campaign targets elite military units, central banks, ministries of defense, and other high-value institutions.
Among confirmed targets are the Central Bank of Sri Lanka and the Sri Lanka Army’s 55th Division Battalion, with precise targeting that reflects SideWinder’s historical approach in the region.
The attackers customize phishing lures for each target, creating documents impersonating official publications such as “Sri Lanka Customs National Imports Tariff Guide 2025” or military communications regarding championship invitations.
Inside the Intrusion Chain: From Document to StealerBot
The infection begins when a victim opens a malicious document containing an exploit for CVE-2017-0199, which references an external object.
.webp)
By examining the document structure, researchers found that the Word file contains a relationship entry pointing to a remote URL that silently triggers the vulnerability without user interaction.
What makes this attack particularly sophisticated is the implementation of geofencing. When the exploit attempts to download the next stage from the attacker’s server, the server checks the victim’s IP address and geolocation.
If the criteria don’t match the intended target, the server returns either an empty RTF file or a 404 error, preventing analysis and unintended access.
For legitimate targets, the server delivers an RTF file exploiting CVE-2017-11882, a memory corruption vulnerability in the legacy Equation Editor.
This file contains embedded shellcode encoded as a hexadecimal string, which executes upon opening.
The shellcode performs anti-analysis checks, including RAM size verification and searches for virtualization artifacts before proceeding to download the next stage.
The final payload is StealerBot, a credential stealer delivered via DLL sideloading of a malicious wdscore.dll by the legitimate TapiUnattend.exe.
.webp)
Researchers found that the malware establishes persistence through an LNK file in the user’s Startup folder and communicates with its command-and-control server to exfiltrate system information, including username, CPU model, drive capacity, and memory details.
This campaign highlights that while SideWinder may rely on outdated exploits, their operational sophistication – demonstrated through targeted delivery, geofencing, and multi-stage loading – allows them to maintain effectiveness in modern environments.
Organizations should prioritize patching legacy vulnerabilities and implement behavioral detection to identify the characteristic patterns of these attacks.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
