Acronis TRU Reveals SideWinder’s Geofenced Malware Targeting Regional Defense and Financial Bodies

The Acronis Threat Research Unit (TRU) has uncovered a sophisticated cyber-espionage campaign orchestrated by the SideWinder Advanced Persistent Threat (APT) group, targeting key government and military institutions across South Asia. The latest campaign, which came to light in early 2025, focuses on high-value organizations in Sri Lanka, Bangladesh, and Pakistan, including Sri Lanka’s elite 55 Division of the Army and the Central Bank of Sri Lanka (CBSL).

According to Acronis TRU, SideWinder employed spear phishing emails embedded with malicious Word and RTF attachments that exploit two longstanding Microsoft Office vulnerabilities, CVE-2017-0199 and CVE-2017-11882. Despite being disclosed and patched years ago, these vulnerabilities remain effective against organizations running outdated software. The documents are geofenced to ensure that only recipients in specific countries activate the malicious payloads, allowing the attackers to evade broad detection systems and hone in on precise targets.

Once triggered, the campaign utilizes a sophisticated, multi-stage intrusion chain. This includes shellcode-based loaders, server-side polymorphism for dynamic payload delivery, and credential-stealing malware known as StealerBot. The malware is designed to extract login credentials from compromised systems, enabling prolonged and stealthy access. These techniques mark an evolution in SideWinder’s toolkit, aligning with its past activity but revealing refinements in execution and targeting strategy.

The selection of targets underscores the campaign's strategic intent. The Sri Lanka Army’s 55 Division, an elite infantry unit with more than 10,000 troops, has recently bolstered its focus on cyber resilience, making it an appealing target for espionage. Meanwhile, the Central Bank of Sri Lanka, responsible for national monetary policy, foreign reserves, and currency issuance, represents a critical node in the country’s financial infrastructure and governance.

To increase the likelihood of success, SideWinder tailors phishing emails to appear relevant to the targeted individuals and often uses fake domains that mimic legitimate organizations. These domains are regularly refreshed. Notably, Acronis observed a sharp uptick in new domain registrations used in command-and-control infrastructure in January 2025, with 34 new domains registered or repointed, followed by 24 in February and 10 in April, indicating cycles of preparation and renewed operational focus.

Acronis TRU urges organizations in the public sector, particularly those in South Asia, to immediately patch vulnerabilities CVE-2017-0199 and CVE-2017-11882, audit infrastructure for signs of shellcode-based loaders, and deploy advanced threat detection capable of identifying polymorphic and geofenced payloads.

The Acronis Threat Research Unit remains committed to identifying, analyzing, and exposing advanced cyber threats globally. Through timely intelligence and detailed technical analysis, TRU aims to support governments and organizations in securing their critical digital assets.