Acronis TRU Reveals SideWinder’s Geofenced Malware Targeting Regional Defense and Financial Bodies

The Acronis Threat Research Unit (TRU) has uncovered a sophisticated cyber-espionage campaign orchestrated by the SideWinder Advanced Persistent Threat (APT) group, targeting key government and military institutions across South Asia. The latest campaign, which came to light in early 2025, focuses on high-value organizations in Sri Lanka, Bangladesh, and Pakistan, including Sri Lanka’s elite 55 Division of the Army and the Central Bank of Sri Lanka (CBSL).

According to Acronis TRU, SideWinder employed spear phishing emails embedded with malicious Word and RTF attachments that exploit two longstanding Microsoft Office vulnerabilities, CVE-2017-0199 and CVE-2017-11882. Despite being disclosed and patched years ago, these vulnerabilities remain effective against organizations running outdated software. The documents are geofenced to ensure that only recipients in specific countries activate the malicious payloads, allowing the attackers to evade broad detection systems and hone in on precise targets.

Once triggered, the campaign utilizes a sophisticated, multi-stage intrusion chain ...