SideWinder APT Hits Diplomats With StealerBot Attack

The SideWinder APT group has launched a new cyber espionage campaign targeting South Asian diplomatic missions, according to researchers at Trellix Advanced Research Center. Using a revamped infection chain that begins with malicious PDF files and progresses through ClickOnce deployments, the attackers deliver a custom malware dubbed StealerBot. In this latest operation, SideWinder APT hits diplomats across multiple embassies and government-related organizations in the region.

The campaign exploits several known vulnerabilities, including CVE-2025-55752, CVE-2025-11371, CVE-2025-54253, CVE-2025-27915, and the older CVE-2017-0199. Researchers observed that the threat actors relied on a multi-stage delivery method to evade detection and ensure payload execution. Once deployed, StealerBot harvests sensitive information, including credentials and internal documents, from compromised systems.

This incident marks another evolution in the tactics used by SideWinder APT, as the group continues to refine its methods. SideWinder APT hits diplomats with increasing precision by combining social engineering with technical exploits.

SideWinder APT Shifts to PDF/ClickOnce Chain to Target South Asian Diplomacy with StealerBot