An advanced persistent threat (APT) group known as SideWinder, suspected to have ties to India, has ramped up its cyberattacks on high-profile organizations and strategic infrastructures in the Middle East and Africa. Also known by several aliases, including APT-C-17, Baby Elephant, and Rattlesnake, the group is now deploying a multi-stage infection chain to deliver a new post-exploitation toolkit named StealerBot.
Despite SideWinder’s initial reputation as a low-skilled actor due to its use of public exploits, malicious LNK files, and RATs, Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov argue that its true sophistication lies in the careful details of its operations.
The group’s recent targets include government, military, telecommunications, financial institutions, and oil trading companies in regions such as Bangladesh, Jordan, Saudi Arabia, and Turkey, among others. Diplomatic entities in countries like Afghanistan, France, and India have also been attacked.
At the heart of the recent campaign is StealerBot, a modular malware designed to conduct espionage activities by stealing credentials, logging keystrokes, capturing screenshots, and intercepting RDP credentials. The infection chain typically starts with a spear-phishing email, delivering either a malicious ZIP file or a Microsoft Office document. These attachments trigger a series of downloaders that eventually install StealerBot.
The delivery method involves a clever use of remote template injection, exploiting a vulnerability known as CVE-2017-11882. The malware is then executed using JavaScript and a Windows-native binary known as mshta.exe.
Once the system is compromised, StealerBot's .NET-based modular implant downloads additional malware, captures sensitive data, and even escalates privileges by bypassing User Account Control (UAC). It also features several plugins that enable the attackers to install more malware, log user activity, steal passwords, and open a reverse shell to the compromised device.
Kaspersky researchers noted that SideWinder has updated this malware over the years, making it more stealthy and capable of evading detection in sandboxed environments. Despite its historical use since 2020, the latest variants of StealerBot represent a significant escalation in capabilities.
Meanwhile, another APT group, APT36 (aka Transparent Tribe), has also been observed exploiting vulnerabilities in Linux environments, further expanding the region’s cyber threat landscape. APT36’s new campaign targets the Indian government sectors using Debian-based BOSS OS and the newly introduced Maya OS.
As the geopolitical threat landscape continues to evolve, both SideWinder and APT36 demonstrate the persistent danger posed by sophisticated APT groups and the critical need for strong cyber defense mechanisms to counter their expanding capabilities.