Evasive SideWinder APT Campaign Detected
Essential information
- Published
- 20/12/2025 17:19
- Modified
- 22/12/2025 10:31
- Tags
- 2025-12-20 apt cloud storage dll side-loading geofencing income tax department india mpgear.dll mysetup.exe phishing url shorteners
- Related entities
- 5 observables, 1 intrusion sets (apt), 2 malware, 28 others
Description
A sophisticated espionage campaign targeting Indian entities has been identified, masquerading as the Income Tax Department of India. The activity is associated with the SideWinder APT group, which has evolved its toolkit to evade detection by mimicking Chinese enterprise software. The campaign uses DLL side-loading techniques with legitimate Microsoft Defender binaries to bypass EDR, and utilizes public cloud storage and URL shorteners to evade reputation-based detections. The threat actors employ geofencing behavior, focusing on systems in South Asian timezones. The attack chain includes phishing emails, fraudulent websites, and malicious payloads delivered through file-sharing services. The final stage involves a resident agent that beacons to a command-and-control server, mimicking Chinese endpoint tool protocols.