SideWinder targets the maritime and nuclear sectors with an updated toolset
Essential information
- Published
- 10/03/2025 10:24
- Modified
- 10/03/2025 12:21
- Tags
- 2025-03-10 CVE-2017-11882 africa apt backdoor loader downloader module javascript maritime module installer nuclear rtf exploit south asia spear-phishing stealerbot
- Related entities
- 1 vulnerabilities (cve), 38 observables, 1 intrusion sets (apt), 14 techniques (mitre), 3 malware, 29 others
Description
The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Backdoor Loader. SideWinder's infection chain begins with spear-phishing emails containing malicious DOCX files, exploiting CVE-2017-11882 to deliver a multi-stage payload. The group demonstrated agility in evading detection, often updating their tools within hours of being identified. Notable targets included government entities, military installations, and diplomatic missions, with an increased focus on maritime and nuclear-related organizations.