A new cyber campaign by the SideWinder Advanced Persistent Threat (APT) group is using old Microsoft Office flaws to attack top-level government organizations in South Asia. Researchers say the group is focusing on targets in Sri Lanka, Bangladesh, and Pakistan.
The attackers are sending spear-phishing emails with malicious files that only activate in specific countries. This geofencing method helps them avoid detection and ensures only intended victims receive the malware.
Old Vulnerabilities Still Dangerous
SideWinder is taking advantage of two known Microsoft Office bugs: CVE-2017-0199 and CVE-2017-11882. Both allow hackers to run code remotely by tricking users into opening Word or RTF documents.
Even though these flaws were patched years ago, many government and defense systems still use outdated software. This allows the attackers to continue using these old exploits successfully.
Security researchers from the Acronis Threat Research Unit (TRU) discovered the campaign in early 2025. They say the group is using simple but effective methods that have worked in the past.
High-Value Targets Identified
Confirmed targets include the Central Bank of Sri Lanka and the 55th Division Battalion of the Sri Lanka Army. The attackers use fake documents that look like official files, such as import tariff guides or military memos, to trick users into opening them.
How the Attack Works
The attack starts when a user opens a malicious document that exploits CVE-2017-0199. This flaw lets the file load another object from a remote server without user action. The document structure includes a hidden link to the attacker’s server.
The server then checks the IP address and location of the victim. If the system is not in the targeted region, it sends a harmless file or returns an error. If the system is in the right country, it sends a second file that uses CVE-2017-11882 to run shellcode hidden in the document.
This shellcode checks if it is running in a virtual machine or sandbox before continuing. If not, it downloads the final malware stage, called StealerBot.
Malware Details and Persistence
StealerBot is a tool that steals login credentials. It is installed using a method called DLL sideloading, where a legitimate file (TapiUnattend.exe) loads a harmful DLL (wdscore.dll).
The malware stays active by creating a shortcut in the user’s Startup folder. It sends back details about the system, including the username, memory size, CPU model, and disk information, to its command-and-control server.
Security Experts Warn of Continued Risks
This campaign shows that even old software bugs can be dangerous when used with modern tactics like geofencing and multi-stage payloads. SideWinder’s ability to mix old exploits with smart delivery methods keeps them effective.
Experts urge organizations, especially in government and defense, to patch outdated software and use behavioral detection systems. These tools can help spot and stop attacks that follow patterns similar to this campaign.
