Recent security research into the SideWinder threat group indicates an expansion of unauthorized access campaigns across Southeast Asia, specifically moving into Indonesia and Thailand. The group maintains a consistent methodology, relying on phishing, credential theft, and rapid infrastructure rotation to evade detection.
Often utilizing government-audit themes in their phishing materials, the group uses consistent techniques to convince employees to open compromised links. This methodology. Including staged execution and frequent domain changes—allows SideWinder to shift geographic focus without altering its core tools, according to a report released this week by cybersecurity services firm ITSEC Group. ITSEC researchers, who also track the group as RagaSerpent, noted that activity targeting Thailand began in late 2025 and expanded to Indonesia earlier this year.
Patrick Dannacher, president director of ITSEC Asia, noted that this combination of straightforward entry methods and disciplined, long-term persistence characterizes modern espionage campaigns.
"The espionage actors operating in this environment are not here for a quick payoff," Dannacher says. "They are here for sustained access to government institutions, telecommunications networks, and strategic economic sectors."
Active since 2012, SideWinder has historically focused on South Asian governments, including those of Bangladesh, Nepal, Pakistan, and Sri Lanka—along with military and diplomatic organizations. Recently, the group has broadened its scope to include maritime infrastructure, logistics organizations, and the nuclear sector, according to Vasily Berdnikov, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).
While Kaspersky's policy is to avoid attributing threat groups to specific nation-states, Berdnikov observes that SideWinder has clearly moved beyond South Asia to compromise targets in new regions.
"They have expanded operations into Africa, Europe, and the Middle East, demonstrating the ambition to go beyond one region," Berdnikov says.
Simplifying entry and maintaining access
Despite operating for over a decade, SideWinder's initial access methods remain highly straightforward. Researchers indicate the group continues to rely heavily on spear-phishing, stolen credentials, and leveraging older, patched vulnerabilities to gain entry into targeted environments.
Berdnikov noted that SideWinder frequently utilizes known Microsoft Office flaws and DLL hijacking to establish a foothold.
"SideWinder has been using the same tactics and techniques for years," he says. "These primarily involve spear-phishing and exploiting long-patched MS Office vulnerabilities.... The group's primary method for establishing and launching malware is through DLL hijacking."
The difficulty in containing this threat actor stems primarily from its post-access activities. SideWinder utilizes a repeatable workflow involving staged file delivery, persistence established through Windows services, and rapid updates to command-and-control (C2) infrastructure. This allows the group to maintain access even after initial incident response efforts appear successful.
A notable behavior in recent campaigns involves the malware deriving configuration data, specifically the C2 server address—dynamically during runtime rather than embedding it directly in the executable binary. Dannacher explained that this design choice allows operators to rotate their communications infrastructure simply by renaming a file, bypassing the need for recompilation or a lengthy development cycle.
"The implication of that design choice is significant," Dannacher says. "It means the attacker can rotate their entire communications infrastructure simply by renaming a file. No recompilation, no new malware build, no lengthy development cycle."
This dynamic approach complicates incident response, as unauthorized access can be reestablished in hours, and it reduces the effectiveness of signature-based detection while allowing the same files to be reused across multiple campaigns.
Strategic objectives and defense recommendations
SideWinder's targeting aligns with long-term intelligence gathering rather than financial motivation. ITSEC researchers observed careful operational scoping, including configurations designed to avoid interacting with specific networks. This indicates an effort to limit collateral impact while securing access to high-value environments.
For security teams, this broader targeting means organizations outside the government sector may face elevated risk if they share supply chains or communications networks. Dannacher warned that pre-positioned threats might remain dormant but pose risks over a five- to 10-year strategic horizon.
"The realistic picture for a large institution is that it is simultaneously of interest to multiple state-aligned actors with different objectives," Dannacher says. "Designing your security posture to account for that complexity is not paranoia. It is accuracy."
To strengthen defenses, ITSEC Asia recommends that organizations expand their security posture beyond traditional indicators of compromise (IOCs). Teams should focus on continuously monitoring and blocking the specific tactics, techniques, and procedures (TTPs) utilized by the group.
Dannacher highlighted that techniques are increasingly shared across different threat categories, increasing the overall risk environment.
"What we are seeing in Indonesia right now is not a scene with a single dominant threat category, it is a convergence, and that convergence is what makes it genuinely difficult to defend against," he says. "The boundaries that used to separate cybercrime from hacktivism from state-sponsored intrusion have largely dissolved at the operational level."
About the original author:** Robert Lemos is a veteran technology journalist of more than 20 years and a former research engineer. He has written for numerous publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News, earning five awards for journalism.