SideWinder APT Group Uses PDF and ClickOnce for Espionage

Cyber Security News by CyberSum.net

Published on October 28, 2025 at 07:51 AM

2 sources

The SideWinder APT group has launched a sophisticated espionage campaign targeting diplomatic entities in South Asia. The campaign features a novel PDF and ClickOnce-based infection chain to deliver custom malware for intelligence collection. The phishing waves distributed fake PDF and Word documents masquerading as official communications, delivering SideWinder’s signature espionage tools. The attackers used geofencing and dynamically generated URLs to evade detection. The campaign is attributed to SideWinder due to the reuse of infrastructure and consistent use of proprietary tools.

Also Read

Cyber Espionage Campaign Targets Diplomats with PlugX Malware

A threat actor known as UNC6384 has been targeting diplomatic entities in a cyber-espionage campaign since September. The group exploits a high-severity Windows vulnerability and uses refined social engineering tactics. The attack starts with spear-phishing emails leading to malicious LNK files, which ultimately deploy the PlugX remote access Trojan (RAT). The campaign is expanding across the diplomatic community and government agencies in various regions. Mitigation measures include reviewing and blocking command-and-control infrastructures and conducting security awareness training.

By Cyber Security News by CyberSum.netNovember 1, 2025 at 03:00 AM