Acronis TRU Reveals SideWinder’s Geofenced Malware Targeting Regional Defence, Financial Bodies
Spear Phishing Was Used, with Longstanding Microsoft Office Vulnerabilities Exploited as Targets
The Acronis Threat Research Unit (Acronis TRU) has uncovered a sophisticated cyber-espionage campaign orchestrated by the SideWinder Advanced Persistent Threat (APT) group. The campaign targets key government and military institutions across South Asia, with the latest coming to light in early 2025. Worryingly, it focuses on high-value organisations in Sri Lanka, Bangladesh, and Pakistan—including Sri Lanka’s elite 55 Division of the Army and the Central Bank of Sri Lanka (CBSL).
According to Acronis TRU, SideWinder employed spear phishing emails embedded with malicious Word and RTF attachments that exploit two longstanding Microsoft Office vulnerabilities, CVE-2017-0199 and CVE-2017-11882. Despite being disclosed and patched years ago, these vulnerabilities remain effective against organisations running outdated software. The documents are geofenced to ensure that only recipients in specific countries activate the malicious payloads, allowing the attackers to evade broad detection systems and hone in on precise targets.
Once triggered, the campaign utilises a sophisticated, multi-stage intrusion chain. This includes shellcode-based loaders, server-side polymorphism for dynamic payload delivery, and credential-stealing malware known as StealerBot. The malware is designed to extract login credentials from compromised systems, enabling prolonged and stealthy access. These techniques mark an evolution in SideWinder’s toolkit, aligning with its past activity but revealing refinements in execution and targeting strategy.
Acronis TRU Finds Strategic Intent in Malicious Campaigns
The selection of targets underscores the campaign’s strategic intent. The Sri Lanka Army’s 55 Division, an elite infantry unit with more than 10,000 troops, has recently bolstered its focus on cyber resilience, making it an appealing target for espionage. Meanwhile, the Central Bank of Sri Lanka, responsible for national monetary policy, foreign reserves, and currency issuance, represents a critical node in the country’s financial infrastructure and governance.
To increase the likelihood of success, SideWinder tailors phishing emails to appear relevant to the targeted individuals and often uses fake domains that mimic legitimate organisations. These domains are regularly refreshed. Notably, Acronis observed a sharp uptick in new domain registrations used in command-and-control infrastructure in January 2025, with 34 new domains registered or repointed, followed by 24 in February and 10 in April, indicating cycles of preparation and renewed operational focus.
Acronis TRU urges organisations in the public sector, particularly those in South Asia, to immediately patch vulnerabilities CVE-2017-0199 and CVE-2017-11882, audit infrastructure for signs of shellcode-based loaders, and deploy advanced threat detection capable of identifying polymorphic and geofenced payloads.
The Acronis Threat Research Unit remains committed to identifying, analysing, and exposing advanced cyber threats globally. Through timely intelligence and detailed technical analysis, Acronis TRU aims to support governments and organizations in securing their critical digital assets.
For more information and to learn more about Acronis TRU’s report findings, visit the blog here: https://www.acronis.com/en-us/cyber-protection-center/posts/from-banks-to-battalions-sidewinders-attacks-on-south-asias-public-sector/
