Sophisticated spear phishing attacks exploit legacy vulnerabilities to target high-value institutions in Sri Lanka, Bangladesh, and Pakistan
Acronis’ Threat Research Unit (TRU) has uncovered a high-stakes cyber-espionage campaign by the SideWinder APT group, targeting military and financial institutions in South Asia with geofenced malware and advanced social engineering tactics. The operation, active since early 2025, focuses on critical entities such as Sri Lanka’s elite 55 Division and the Central Bank of Sri Lanka (CBSL).
SideWinder’s strategy hinges on spear phishing emails laced with malicious Word and RTF attachments that exploit long-patched Microsoft Office vulnerabilities—CVE-2017-0199 and CVE-2017-11882. These documents are geofenced, triggering only within specific countries to evade global detection and surveillance systems.
“SideWinder’s evolving tactics underscore the urgent need for geofencing-aware threat detection and timely patch management in the region.”
Acronis TRU’s investigation reveals that once activated, the attack progresses through a complex, multi-stage chain involving shellcode-based loaders, server-side polymorphism, and a credential-stealing malware called StealerBot. The intent is clear: sustained, covert access to critical systems.
The attackers meticulously craft phishing lures using fake domains that mimic real organizations. Acronis recorded a surge in domain registrations tied to the campaign in early 2025, signaling planned waves of renewed activity.
TRU recommends urgent patching of vulnerable systems and adoption of advanced threat detection capabilities that can recognize polymorphic and geofenced payloads. Public-sector organizations, especially in South Asia, remain at high risk.
Through its intelligence-driven approach, Acronis TRU continues to provide early warnings and deep technical insights to help secure national digital infrastructures from state-aligned threat actors like SideWinder.