Pulse Detail — Threat Intelligence

PULSE NAME

IOC - SideWinder's Shifting Sands: Click Once for Espionage

WHITE celestre 2025-10-29 Modified: 2025-10-29

123

IOCs

HIGH VOLUME

In September 2025, the Trellix Advanced Research Center (ARC) detected a campaign targeting a European embassy located in New Delhi, India. Further investigation led to the discovery of multiple targeted institutions from various countries, including Sri Lanka, Pakistan, and Bangladesh. This report examines the tactics, techniques, and procedures (TTPs) employed by SideWinder, an advanced persistent threat (APT) group notorious for its espionage activities in Asia. Our investigation reveals a notable evolution in SideWinder's TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors. This shift highlights the group's ongoing adaptation to circumvent conventional security measures and achieve its objectives.

Indicators of Compromise (123)

All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-d5187655/	—	2025-10-29
FileHash-MD5	22e3a5970ae84c5f68b98f3b19dd980b	MD5 of 922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6	2025-10-29
FileHash-SHA1	a55b555b59b140dda913af0187f45b29398276fb	SHA1 of 922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6	2025-10-29
FileHash-SHA256	06da4a5755a81785f68caf75cca2b7a41c3aa9b4af24d2bb93964abf87343869	—	2025-10-29
FileHash-SHA256	09b96a2426f8ddcc20aa58a72ad147d410525f1a4a42835b7ece126211537b3b	—	2025-10-29
FileHash-SHA256	09cfec5b9cc3ef5939287fdb8b1bcb9a8a7185e45ef587a96f35744c02c0f03c	—	2025-10-29
FileHash-SHA256	0f407b9b1cffa88edfe5a439f316dd41eea2fc47ba24a8dd986a6ffe520cb66b	—	2025-10-29
FileHash-SHA256	2d988506cf300236b57744d16adea07525d7b709a0fbf181810143d89aa55017	—	2025-10-29
FileHash-SHA256	2ff1eb3d23b32169d5f07b5c4df6ec9a20b543255a3af4c92de2c322455746a9	—	2025-10-29
FileHash-SHA256	31c7381c90b852b4cb858a4fb0a548f7c38ea134eb49a679a83ae2de9f8d98e2	—	2025-10-29
FileHash-SHA256	32febd24765e996c8f01f77f02b02af3e35914ea215f98fcf2054a15a5bb0262	—	2025-10-29
FileHash-SHA256	341a21538b90c87b40e150967519a695f2c339befde232e2f3cd85caf6885803	—	2025-10-29
FileHash-SHA256	36f7db22dbd834d0bbffbd1c7647101604054a2d1595ea0baf106a4da7d5fefb	—	2025-10-29
FileHash-SHA256	39eba7eeadab00b4552cc42550dd285f7b3c5fbf451634ce0f6458d61d0b1aed	—	2025-10-29
FileHash-SHA256	3ffc09dda86b9c78028f20d5447616c4e60f7c70e2f3cabcc05c77ee8a92f7ce	—	2025-10-29
FileHash-SHA256	4d394319bf9952217aab6d5fc5603abeb3a6e06f6026ff80ec5fa5d02b08cd66	—	2025-10-29
FileHash-SHA256	4e984a01dee63ca0a7fb1efa42a483d2e378e8f87896c76788f11abe8ddeec3c	—	2025-10-29
FileHash-SHA256	52602351cf896d44156016e44e2342d4eb75140b7415eaab3f629636d315fb1a	—	2025-10-29
FileHash-SHA256	54ef2aaeeb850c07cf3e01754478da2b8947b7188e1aabc8dd7eb54c78b55bd1	—	2025-10-29
FileHash-SHA256	56220142f616d5fffacad4e83b3262e0499e96dcdf99fbb6b81cd9178ef97ced	—	2025-10-29
FileHash-SHA256	5f8cdb9a5000a4d4ab08255efb3bd0c074551df94ebff820510078b45ad0b9f1	—	2025-10-29
FileHash-SHA256	6226704e0cbe5b17c50bfbdb79912028137abf1f0f918fd455d9a71ed4478fcf	—	2025-10-29
FileHash-SHA256	632d1e049e74e3cc34f01fa7d4b4e18e8679636eb58e38756b8ed0314a861a02	—	2025-10-29
FileHash-SHA256	635e8abd8ce13a985229e5a0269096a272beef15307333f63cbc95cd13a71e88	—	2025-10-29
FileHash-SHA256	65125a51edf9e2ab776bc041b77267dc04045bf4f6df03138494966cee9f5a54	—	2025-10-29
FileHash-SHA256	65bc2a15dd4201ddcec44cd02cfeea16c7734a0bd009c977ca5a3c6738c57ae6	—	2025-10-29
FileHash-SHA256	71409564792f503c4ec6c5000d98ac4a97a153d4c16cc6f6528c136271bc8ed8	—	2025-10-29
FileHash-SHA256	7d51aba5a9bbad297c05a0a3b99aa32af354b45ad2e99191fe0e611c9f44dfa4	—	2025-10-29
FileHash-SHA256	8183a28cc1d962c173d5a63d1b61acafd995e6f0c4f595d6f0e43988b88c480b	—	2025-10-29
FileHash-SHA256	81dda6e8d6835980aaa3fa26b1ee4a8d7931fea7c33caf5f639a1057ad39add1	—	2025-10-29
FileHash-SHA256	8435f374161bcf63175e34fc331957c2661d2e83bbd55675b3a103a5cc2ed7c5	—	2025-10-29
FileHash-SHA256	84ddd27b18b7401fd46149c60b0fff4ea0f01ba8668649dc246769784bc7a00d	—	2025-10-29
FileHash-SHA256	892089dc7e4af5ee4a89a2fd3083e6843ce7bffc94003d233063ba23d779a314	—	2025-10-29
FileHash-SHA256	8d85e13eb217dde0b1c770743b1e9d033ff3c6d26186d70ffb0e9246ffc2dc6f	—	2025-10-29
FileHash-SHA256	922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6	—	2025-10-29
FileHash-SHA256	a28135ad1294328cbf0b200f7fa4ad7a0691bd80fb87e88b348c396fa652aa10	—	2025-10-29
FileHash-SHA256	a8b4fcfed3dc3b25e5b9ad34c9f6909f4cc4bedb4606416a672d1a39976e1c5d	—	2025-10-29
FileHash-SHA256	aa7c242c325528bbb6184a603b4b0ae2b67711b774e2400f1fe086e0d5eb66bc	—	2025-10-29
FileHash-SHA256	aaf08583c38289e617cfaae8bd42aa4ce48a0d7c9e401e9cb4cbfa6fb65e4935	—	2025-10-29
FileHash-SHA256	b06aa054491e7b07f54edced19ff648322427b8f5cfa6b46656667c9b40b7215	—	2025-10-29
FileHash-SHA256	b97c5ed08e5072bf7fdf44864c942657dfcaa8c3f4627698e0b87f773d04cd15	—	2025-10-29
FileHash-SHA256	be4916940676befe86749c8a9b156346fa80ce6c0a341ab59dfd49344ef8162b	—	2025-10-29
FileHash-SHA256	c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6	—	2025-10-29
FileHash-SHA256	c5c07c258ceb91ccba50428dc81c87f5eb0bb13dd6abde82811baa56d1be60fc	—	2025-10-29
FileHash-SHA256	c67ee29964506676bde38e7732e720078abdb0adebc743a367a5d9a1215f5020	—	2025-10-29
FileHash-SHA256	ce72830bc037680d9ef50d328f3776d2bddf5aaffd077d2d884efafa3e30ee70	—	2025-10-29
FileHash-SHA256	cf739fe6621968e2fd7d1ce4a7c513bf4b994a66f33bbc9b53b26672046aa77e	—	2025-10-29
FileHash-SHA256	d2c8d33ea2d855bc9cd52d3a4d312c81f848c4f5afb9414ee90b036f3f27a4a4	—	2025-10-29
FileHash-SHA256	d4c746c27873a016c7d3d6d00400c60824afd1cd69840a76873096cbadb23a48	—	2025-10-29
FileHash-SHA256	dd30478a1f2e822d3e9be536ca249e1c677ccaf1106fb9a9f41003e2bb609d09	—	2025-10-29
FileHash-SHA256	e091d16488b1b638a2c0013e761d341a04728de4de4388827e62f8c039f77fbc	—	2025-10-29
FileHash-SHA256	e4d494948ce5c81e600ca36d3c35007f371cceef7e2c16addf2668bed1533efb	—	2025-10-29
FileHash-SHA256	e5cd4c5e6c35c07b7d1a078ed801a5676d529d41dcbecacd13f744b2c79fe46d	—	2025-10-29
FileHash-SHA256	f022b5b6ef036bed3c4e4fef2dc8a703cd51146cf449c0be48fa963a62eba752	—	2025-10-29
FileHash-SHA256	f4f851ed2a972e2c90ea20a1d8a2421111264022700caab82e42b89e80bc321a	—	2025-10-29
FileHash-SHA256	f6e54fd80aa4f8b779f2fb85466c7e6d4f9c2dbd0a79d0d8e9d1f275654e51c5	—	2025-10-29
URL	https://adobe.pdf-downlod.com/4dfbdf2b_updates/adobe-reader	—	2025-10-29
URL	https://adobe.pdf-downlod.com/[8_random_hex_values]_updates/adobe-reader	—	2025-10-29
URL	https://adobe.pdf-downlod.com/updates-[8_random_hex_values]/adobe-reader	—	2025-10-29
URL	https://adobe.pdf-downlod.com/updates-b1139620/adobe-reader	—	2025-10-29
URL	https://cabinet-gov-pk.dytt888.net/43098866-circular/adobe-reader	—	2025-10-29
URL	https://cabinet-gov-pk.dytt888.net/[8_random_numeric_values]-circular/adobe-reader	—	2025-10-29
URL	https://cadetcollege.adobeglobal.com/registration/00198727/adobe-reader	—	2025-10-29
URL	https://cadetcollege.adobeglobal.com/registration/[8_random_numeric_values]/adobe-reader	—	2025-10-29
URL	https://exosel.info/202/gYvXAIX6GGFkjJpAVSC5ls2CfMe66s8uwB1X5QZC/32349/17276/59fc0fdf	—	2025-10-29
URL	https://hajjmedicalteam.adobeglobal.com/bangladesh/73439525/adobe-reader	—	2025-10-29
URL	https://hajjmedicalteam.adobeglobal.com/bangladesh/85758038/adobe-reader	—	2025-10-29
URL	https://hajjmedicalteam.adobeglobal.com/bangladesh/[8_random_numeric_values]/adobe-reader	—	2025-10-29
URL	https://hajjtraining2025.moragovt.net/2a12968d-schedule/adobe-reader	—	2025-10-29
URL	https://hajjtraining2025.moragovt.net/[8_random_hex_values]-schedule/adobe-reader	—	2025-10-29
URL	https://mocat-gov-bd.filenest.live/88555949/adobe-reader	—	2025-10-29
URL	https://mod-gov-bd.snagdrive.com/80097355/adobe-reader	—	2025-10-29
URL	https://mod-gov-bd.snagdrive.com/[8_random_hex_values]/adobe-reader	—	2025-10-29
URL	https://mod-gov-bd.snagdrive.com/ce692827/adobe-reader	—	2025-10-29
URL	https://mofa-gov-bd.filenest.live/17070638/adobe-reader	—	2025-10-29
URL	https://mofa-gov-bd.filenest.live/48686010/adobe-reader	—	2025-10-29
URL	https://mofa-gov-bd.filenest.live/9b156a35/adobe-reader	—	2025-10-29
URL	https://mofa-gov-bd.filenest.live/[8_random_numeric_values]	—	2025-10-29
URL	https://mofa-gov-bd.filenest.live/[8_random_numeric_values]/adobe-reader	—	2025-10-29
URL	https://mofa-gov-bd.snagdrive.com/a18939fc/adobe-reader	—	2025-10-29
URL	https://mos-gov-bd.snagdrive.com/[32_random_hex_values]/co/adobe-reader	—	2025-10-29
URL	https://mos-gov-bd.snagdrive.com/[8_random_hex_values]	—	2025-10-29
URL	https://mos-gov-bd.snagdrive.com/b80873e7/adobe-reader	—	2025-10-29
URL	https://ostcone.site/202/q2cBahBKeA3vl6AijbYx1Mz9yAt5a1OvNHPv8api/32349/17303/88efad0d	—	2025-10-29
URL	https://pimec-paknavy.updates-installer.store/1/7ab8fb0a/adobe-reader	—	2025-10-29
URL	https://pimec-paknavy.updates-installer.store/1/[8_random_hex_values]/adobe-reader	—	2025-10-29
URL	https://pimec-paknavy.updates-installer.store/[8_random_hex_values]_1/Microsoft_License.rtf	—	2025-10-29
URL	https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-[8_random_hex_values]/	—	2025-10-29
URL	https://pmo-gov-pk.filenest.live/[8_random_hex_values]-conflict	—	2025-10-29
URL	https://pubad-gov-lk.download-doc.net/09c3c5c1/adobe-reader	—	2025-10-29
URL	https://pubad-gov-lk.download-doc.net/41498067/adobe-reader	—	2025-10-29
URL	https://pubad-gov-lk.download-doc.net/8a24a2e6/adobe-reader	—	2025-10-29
URL	https://pubad-gov-lk.download-doc.net/[8_random_hex_values]/adobe-reader	—	2025-10-29
URL	https://www-parliament-lk.snagdrive.com/[8_random_hex_values]/adobe-reader	—	2025-10-29
URL	https://www-parliament-lk.snagdrive.com/e8147089/adobe-reader	—	2025-10-29
URL	https://www-treasury-gov-lk.snagdrive.com/69570935/adobe-reader	—	2025-10-29
URL	https://www-treasury-gov-lk.snagdrive.com/[8_random_numeric_values]/adobe-reader	—	2025-10-29
domain	exosel.info	—	2025-10-29
domain	ostcone.site	—	2025-10-29
email	asresearch@mofa.gov.bd.pk-mail.org	—	2025-10-29
email	d11@mod.gov.bd.pk-mail.org	—	2025-10-29
email	d17@mod.gov.bd.pk-mail.org	—	2025-10-29
email	ds.plann2@mos.gov.bd.pk-mail.org	—	2025-10-29
email	js.admn@pmo.gov.pk-mail.org	—	2025-10-29
email	mau@mofa.gov.bd.pk-mail.org	—	2025-10-29
email	p2@mofa.gov.bd.pk-mail.org	—	2025-10-29
email	pc2@mod.gov.bd.pk-mail.org	—	2025-10-29
email	secretary@mocat.gov.bd.pk-mail.org	—	2025-10-29
hostname	adobe.pdf-downlod.com	—	2025-10-29
hostname	cabinet-gov-pk.dytt888.net	—	2025-10-29
hostname	cadetcollege.adobeglobal.com	—	2025-10-29
hostname	hajjmedicalteam.adobeglobal.com	—	2025-10-29
hostname	hajjtraining2025.moragovt.net	—	2025-10-29
hostname	mocat-gov-bd.filenest.live	—	2025-10-29
hostname	mod-gov-bd.snagdrive.com	—	2025-10-29
hostname	mofa-gov-bd.filenest.live	—	2025-10-29
hostname	mofa-gov-bd.snagdrive.com	—	2025-10-29
hostname	mos-gov-bd.snagdrive.com	—	2025-10-29
hostname	pimec-paknavy.updates-installer.store	—	2025-10-29
hostname	pmo-gov-pk.filenest.live	—	2025-10-29
hostname	pubad-gov-lk.download-doc.net	—	2025-10-29
hostname	www-parliament-lk.snagdrive.com	—	2025-10-29
hostname	www-treasury-gov-lk.snagdrive.com	—	2025-10-29

References (1)

↗ https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/