In 2025, the digital landscape is more complex and perilous than ever. Organizations face an unrelenting barrage of sophisticated cyber threats, from advanced ransomware campaigns to nation-state-backed attacks. As a result, many are turning to SOC as a Service Providers to gain around-the-clock security monitoring, threat detection, and incident response without the overhead of building […]
The SideWinder advanced persistent threat group has emerged with a sophisticated new attack methodology that leverages ClickOnce applications to deploy StealerBot malware against diplomatic and governmental targets across South Asia.
In September 2025, security researchers detected a targeted campaign affecting institutions in Sri Lanka, Pakistan, Bangladesh, and diplomatic missions based in India.
The attacks represent a notable evolution in the threat actor’s tradecraft, moving beyond traditional Microsoft Word-based exploits to embrace a more complex PDF and ClickOnce infection chain designed to circumvent modern security controls.
The campaign unfolded through multiple waves of spear-phishing emails, each carefully crafted with region-specific themes to manipulate victims into executing malicious payloads.
Attack lures included documents titled “Inter-ministerial meeting Credentials.pdf” and “Relieving order New Delhi.pdf,” which prompted targets to download what appeared to be an updated version of Adobe Reader.
When victims clicked the embedded button, they unknowingly initiated a ClickOnce application download from attacker-controlled infrastructure.
These applications bore valid digital signatures from MagTek Inc., not through certificate theft but via DLL side-loading of legitimate MagTek binaries—a technique that allowed the malware to bypass Windows security warnings and execute without raising immediate suspicion.
Trellix analysts identified the malware’s sophisticated evasion mechanisms after detecting the fourth wave of attacks through their SecondSight hunting capabilities on Trellix Email Security.
The researchers noted that SideWinder implemented advanced operational security measures including geofencing, which restricted payload delivery to IP addresses originating from targeted regions.
This geographic restriction prevented security researchers outside South Asia from accessing live malware samples, significantly complicating analysis efforts.
Additionally, the threat actors employed dynamically generated URLs with random numeric components and time-limited payload availability, ensuring that malicious components remained accessible only during narrow windows immediately following initial compromise.
The technical sophistication extends to the malware’s persistence and execution mechanisms.
Once the ClickOnce application executes, it drops DEVOBJ.dll alongside an encrypted payload file with randomized extensions such as .ns5 or .1ym.
The DLL performs XOR decryption using the first 42 bytes of the encrypted file as the key, revealing a .NET loader (App.dll) that downloads ModuleInstaller from the command-and-control server.
ModuleInstaller then profiles the compromised system and retrieves configuration files, including TapiUnattend.exe—a legitimate Windows binary—and wdscore.dll, which side-loads to execute the final-stage StealerBot malware.
The malware demonstrates adaptive behavior by detecting installed antivirus products and adjusting its execution path accordingly, using mshta.exe for Avast or AVG detections and pcalua.exe when Kaspersky is present.
ClickOnce Application Structure and DLL Side-Loading
The infection chain’s core strength lies in its abuse of ClickOnce’s trusted application deployment framework.
SideWinder weaponized legitimate MagTek Reader Configuration application (version 1.5.13.2) by preserving its structural integrity while replacing critical components.
SideWinder’s PDF version execution chain (Source – Trellix)
The attackers substituted the authentic MagTek public key token (7ee65bc326f1c13a) with null values (0000000000000000) in the manifest, maintaining valid certificate chains to evade detection.
The application’s branding was modified from MagTek to “Adobe Compatibility Suite,” complete with an Adobe Reader icon replacement, perfectly aligning with the phishing lure’s premise.
The payload delivery mechanism substituted legitimate JSON configuration files (DeviceImages.json and EmvVendorConfig.json) with malicious DEVOBJ.dll (SHA256: c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6).
This DLL serves as the side-loading vector for subsequent stages. The manifest included useLegacyV2RuntimeActivationPolicy=”true” to enable compatibility with older .NET Framework versions, facilitating execution of legacy malware components.
After execution, a decoy PDF document displays to victims, maintaining the illusion of legitimate document processing while malware establishes persistence and begins data exfiltration operations in the background.
The StealerBot malware represents the campaign’s ultimate objective, designed for comprehensive espionage operations.
While researchers successfully identified the core infection chain components, geofencing restrictions prevented the acquisition of additional plugin modules beyond IPHelper.dll, which manages proxy communications within the malware ecosystem.
The campaign’s infrastructure—spanning domains like mofa-gov-bd[.]filenest[.]live and mod-gov-bd[.]snagdrive[.]com—demonstrates deliberate impersonation of government ministries to enhance social engineering effectiveness.
This combination of technical sophistication and operational security reflects an adversary committed to long-term espionage objectives against strategic regional targets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant
B-1 bombers fly off Venezuelan coast. Two supersonic B-1 Lancers took off from Dyess Air Force Base in rural Texas on Thursday and traveled upwards of 2,000 miles to fly within several miles of Venezuela, the Wall Street Journal reported. B-1 bombers seldom fly near South America but more missions “could be carried out soon,” two U.S. officials told WSJ.
President Trump said at the White House the story was “not accurate,” even though the B-1s’ flight paths were revealed by publicly available flight tracking data. Defense Secretary Pete Hegseth, who was at the Q&A session with reporters, did not correct the president, Fox reported.
The demonstration marks the latest use of the U.S. military to increase pressure on President Nicolás Maduro. Last week, B-52 bombers and F-35Bs staged an “attack demonstration" on an island off the Venezuelan coast. Other recent military activity in the region has included flights by MQ-9 Reaper drones and P-8 maritime patrol aircraft and even an Air Force Special Operations exercise.
Welcome to this Friday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Thomas Novelly and Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1944, the USS Princeton (CVL-23) sank in the Philippines after being hit by a Japanese bomb during the World War II Battle of Leyte Gulf.
Shutdown
Trump says a “friend of mine” donated $130 million for military pay to cover potential paycheck shortfalls during the government shutdown. The president declined to name the donor,Reuters reported. That personal check is, ultimately, a drop in the bucket compared to the $236 billion requested for troops’ pay in the fiscal 2025 budget, and it’s not clear whether the money will cover troops’ Oct. 31 paychecks.
ICYMI: Payroll funding for service members, like that of other federal employees, is frozen during the shutdown, but Trump directed some money—reportedly, $8 billion—be diverted from research pools to pay troops. It’s not clear whether that was legal.
Gridlock continues after Senate Democrats blocked a Republican-sponsored bill Thursday to pay active-duty service members and essential federal workers in a nearly party-line vote of 54-45, the Hill reports. On Friday, the shutdown marked its 23rd day, marking the second-longest federal funding lapse in history.
Europe
Russian aircraft violated Lithuanian airspace on Thursday, officials said. An Su-30 fighter jet and an Il-78 refueling tanker flew over the Baltic nation for about 18 seconds, the country’s military said on X. Russia’s Defense Ministry disputed the claim, the Associated Press reported.
Lithuania’s foreign ministry announced plans to summon Russian diplomats. “This is a blatant breach of international law and territorial integrity of Lithuania,” President Gitanas Nausėda wrote on X. “Once again, it confirms the importance of strengthening European air defence readiness.”
The incident is Russia’s latest aerial incursion into NATO allies’ territory. Last month, Moscow sent around two dozen unarmed drones into Polish airspace and days later Russian fighters swept across the Estonian border. Defense One’s Patrick Tucker recently detailed varying responses to air incursions have led to rare public disagreements between treaty allies.
Around the Defense Department
What is homeland defense? Budget experts said a new national security strategy could redefine what homeland defense operations entail including border-security, coutner-drug enforcement, and law enforcement. Budget experts at a Center for New American Security Event on Thursday wondered if the next defense budget would reflect those shifts. Defense One’s Meghann Myers has more from the event.
But as budget experts await the release of the National Defense Strategy, some question whether it will actually change how the Trump administration prioritizes its military spending. “At the end of the day, the National Defense Strategy is a piece of paper, and it's not worth anything unless the administration actually intends to follow it, to use it as a guiding framework,” said Todd Harrison, a senior fellow at the American Enterprise Institute.
Acting USAF JAG steps down.Eight months after SecDef Hegseth fired the Air Force’s top lawyer, the judge advocate general tasked with those duties has stepped down. Maj. Gen. Rebecca Vernon, who had served as deputy Air Force JAG, became acting JAG after Hegseth’s widespread purge of military leaders and top lawyers.
Former military attorneys are worried what the lack of top legal leadership will mean for the Air Force. “It’s tough to make any long-term plans without that position filled,”one lawyer said. “There’s a ripple effect throughout the [JAG] Corps that hurts morale, retention, budgets, hiring, and every major policy decision.” Defense One’s Thomas Novelly has more.
The Air Force wants private AI data centers on its bases.A lease proposal from the service is offering up more than 3,000 acres of “underutilized land” across five of its military bases, according to a new proposal posted online. The Air Force’s pitch follows a late July executive order in which Trump promised a “golden age for American manufacturing and technological dominance” by giving up public land for private use.
Experts are worried by the unprecedented move and fear the government may not get use of the land back. “I have never heard of something like this before, where some of the public land was going to be leased to private companies to use,” said Stacie Pettyjohn, a senior fellow and director of the Defense Program at the Center for a New American Security think tank. “I think it is noteworthy…because it is potentially ceding land that the U.S. government will actually never get control over again.” Novelly has more here.
“Neighborhood watch.” Satellite imaging company Vantor signed a contract with the U.S. Space Force to monitor for satellites and debris that ground-based sensors might miss. The company, formerly Maxar Intelligence, will use existing satellites it has in orbit to protect U.S. assets in low earth orbit, Susanne Hake, Vantor’s general manager for U.S. government said. Tucker has more for Defense One,here.
Lastly today: Dissenting judges issued scathing warnings after the 9th Circuit Court of Appeals declined to revisit a panel decision to reject a legal challenge to the federalized deployment of California National Guard troops to Los Angeles this summer, Talking Points Memo reported. “The democratic ideals our nation has consistently promoted for the last quarter millennium will be gravely undercut by allowing military force and weapons of war to be deployed against American citizens on U.S. soil on the flimsy grounds asserted here for this use of Executive power,” wrote Judge Ronald Gould, a Clinton appointee.
The Advanced Persistent Threat group MuddyWater, widely recognized as an Iran-linked espionage actor, has orchestrated a sophisticated phishing campaign targeting more than 100 government entities and international organizations across the Middle East, North Africa, and beyond.
The operation, which became active in mid-August 2025, represents a significant escalation in the group’s tradecraft, introducing version 4 of the Phoenix backdoor malware alongside newly developed tools designed to evade traditional security defenses.
The campaign gained momentum through a deceptively simple yet effective technique: a compromised mailbox accessed via NordVPN.
MuddyWater leveraged this access point to send phishing emails to high-value targets, impersonating legitimate correspondence from trusted organizations.
The emails contained Microsoft Word attachments that appeared innocuous, prompting recipients to “enable content” to view the document.
This social engineering approach exploited the inherent trust users place in familiar communication channels, significantly increasing the likelihood of successful infections.
Once recipients enabled macros within the Word documents, malicious Visual Basic for Application code executed on their systems, initiating a multi-stage attack chain.
An overview of the execution killchain (Source – Group-IB)
The embedded macros functioned as a dropper, retrieving and executing the FakeUpdate loader—an injector-style component that decrypts and injects encrypted payloads directly into its own process memory, bypassing traditional file-based detection mechanisms.
Group-IB analysts identified the second-stage payload as Phoenix backdoor version 4, a custom malware exclusively tied to MuddyWater operations.
This latest iteration demonstrates technological refinement, employing registry-based persistence through modifications to the Winlogon shell value while simultaneously creating mutex objects for coordination.
The backdoor registers infected hosts with attacker command-and-control infrastructure, establishing continuous beaconing relationships that enable remote command execution, data exfiltration, and post-exploitation activities.
Technical Evolution and Persistence Mechanisms
The Phoenix v4 variant introduces sophisticated persistence tactics beyond traditional registry manipulation.
Analysis revealed embedded Component Object Model Dynamic Link Library artifacts designed to launch additional malware, such as Mononoke.exe, through alternative execution pathways.
The malware systematically gathers comprehensive system information—computer names, domain configurations, Windows versions, and user credentials—before initiating communication with C2 servers via WinHTTP protocols.
Command mappings indicate support for file uploads, shell execution, and sleep interval modifications, providing attackers granular control over compromised systems.
Infrastructure investigation uncovered the hardcoded C2 domain screenai[.]online, registered on August 17, 2025, and operational for approximately five days.
The real server address, 159.198.36.115, hosted additional tools including a custom Chromium browser credential stealer and legitimate Remote Monitoring and Management utilities like PDQ and Action1.
The credential stealer specifically targets stored passwords from Chrome, Opera, Brave, and Microsoft Edge by extracting encrypted master keys and writing harvested credentials to staging files for exfiltration.
MuddyWater’s deployment of this integrated toolkit—combining custom malware with legitimate RMM solutions—demonstrates sophisticated understanding of operational security and persistence mechanisms, underscoring the group’s commitment to long-term espionage objectives rather than opportunistic campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
RedTiger is an open-source red-teaming tool repurposed by attackers to steal sensitive data from Discord users and gamers.
Released in 2025 on GitHub, RedTiger bundles penetration-testing utilities, including network scanners and OSINT tools. But its infostealer module has gone rogue, with malicious payloads circulating online since early 2025.
Netskope Threat Labs reported multiple variants targeting French-speaking gamers, based on sample filenames and custom warnings like “Attention, ton PC est infecté!” (Warning, your PC is infected!).
This marks the second gamer-focused infostealer Netskope has tracked this month, following a Python RAT aimed at Minecraft players.
RedTiger Tool Abused
Attackers favor RedTiger for its modularity and ease of customization, much like the abused Cobalt Strike framework. Distributed as PyInstaller-compiled binaries, these samples masquerade as game cheats or mods, tricking users into execution.
Malicious RedTiger based infostealer zeroes in on Discord accounts, injecting JavaScript into the app’s core files to hijack API traffic.
It snags tokens via regex searches in Discord’s databases, validates them through API calls, and extracts user details like emails, MFA status, and subscription levels.
Even password changes don’t escape; the malware intercepts updates to billing endpoints for Stripe and Braintree, capturing card info, PayPal details, and Nitro purchases.
Beyond social platforms, it raids browsers Chrome, Firefox, Edge, and niche ones like Opera GX for cookies, passwords, history, and credit cards.
Game files from Roblox and crypto wallets like MetaMask are copied wholesale, while .txt, .sql, and .zip files matching keywords (e.g., “passwords”) get archived.
Roblox-specific cookie extraction via browser_cookie3 reveals account info through API queries. The malware adds persistence on Windows by dropping into startup folders, though Linux and macOS implementations falter without manual tweaks.
For evasion, it scans for sandbox indicators usernames like “sandbox” or hardware IDs tied to analysis tools and self-terminates, Netskope said.
It also edits the hosts file to block security vendors and spawns hundreds of junk files and processes to clog forensics.
Exfiltration is clever: Stolen data zips up and uploads to anonymous GoFile storage, with links pinged to attackers via Discord webhooks, including victim IP and geolocation.
RedTiger’s webcam snaps and screenshots round out its espionage kit, using OpenCV and Pillow libraries. Netskope detects it as Win64.Trojan.RedTiger, urging gamers to scan downloads and enable two-factor authentication.
As infostealers evolve, experts warn of more variants. “Gamers’ shared files and Discord reliance make them prime targets,” said Netskope’s Rayudu Venkateswara Reddy. Victims should monitor accounts and use antivirus with behavioral detection to stay ahead.
Three of Europe’s largest aerospace and defense companies are joining forces to reshape the continent’s space industry. On Thursday, Airbus, Leonardo, and Thales signed a memorandum of understanding to merge their space operations into a new joint venture that—if it wins regulators' approval—will contain much of Europe’s satellite, communications, and Earth-observation capability.
The new company will bring together Airbus’s Space Systems and Space Digital businesses; Leonardo’s Space Division, including its holdings in Telespazio and Thales Alenia Space; and Thales’s stakes in Thales Alenia Space, Telespazio, and Thales SESO. Based on pro‑forma 2024 figures, the venture will employ around 25,000 people, generate roughly €6.5 billion in annual revenue, and carry an order backlog covering more than three years of projected sales. Ownership will be split with Airbus holding 35 percent and Leonardo and Thales each holding 32.5 percent, with a balanced governance structure under joint control.
The companies believe the combination could generate mid‑triple‑digit million‑euro annual synergies within five years, mainly through operational efficiencies in engineering, manufacturing, and project management. The merger will focus on end‑to‑end space infrastructure and services but will exclude launch vehicles. The venture is expected to be operational in 2027, subject to employee consultations and regulatory approvals.
The new joint venture represents a major step in consolidating Europe’s fragmented space industry. By unifying three established aerospace and defense leaders, the company aims to achieve the scale and expertise needed to compete more effectively with global players, including SpaceX, Northrop Grumman, and Lockheed Martin. The merger also aligns with Europe’s broader goal of strategic autonomy, reducing reliance on non-European technology for critical capabilities such as secure satellite communications, navigation, and defense intelligence.
One notable absence from this consolidation is OHB, a German aerospace company with a strong track record in satellite development and a taste for independence amid industry consolidation. OHB leads the consortium for the planned Odin's Eye missile warning system, a key element of Europe’s future space-based defense architecture. This positions OHB as both a competitor and potential collaborator in the evolving European space landscape.
The merger is expected to influence several key European space programs:
Navigation: The new entity could take a leading role in the development, manufacturing, and sustainment of Galileo and EGNOS, Europe’s global and regional navigation systems.
Earth Observation: It is likely to become a principal contractor for Copernicus programs, providing end-to-end satellite and service solutions.
Defense and secure communications: The consolidation of military space assets will affect government programs such as GOVSATCOM and next-generation secure networks like IRIS².
National military satellites: Programs such as France’s Syracuse, Italy’s SICRAL, and the UK’s Skynet may benefit from shared technology development and cost efficiencies.
Satellite operations and data services: With stakes in companies like Telespazio, the new venture will be positioned to influence commercial and public satellite operations and downstream data services.
A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.
The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior
Arsen, the cybersecurity company dedicated to helping organizations defend against social engineering, today introduced its new Smishing Simulation module: a feature designed to let companies run realistic, large-scale SMS phishing simulations across their teams.
Designed to address the growing wave of mobile-based attacks, the new module gives CISOs, MSSPs, and risk officers a practical way to assess exposure and train employees to spot and respond to malicious SMS messages.
Realistic Training for a Rising Threat Vector
Smishing (phishing attacks delivered via text messages) is rapidly becoming one of the most common social engineering tactics, targeting users on both professional and personal devices. Arsen’s Smishing Simulation allows organizations to:
Deploy SMS-based attacks at scale using pre-built or customized scenarios
Track behavior and response rates across different employee groups
Train users in a controlled, safe, and realistic environment
“We’re happy to give our clients the opportunity to know what their attack surface looks like on the mobile side. This pairs very well with our recent vishing developments,” said Thomas Le Coz, CEO at Arsen.
Smishing Simulation: Built on Arsen’s Battle-Tested Platform
Clients benefit from Arsen’s cutting-edge infrastructure, already trusted for advanced phishing and vishing simulations.
Arsen’s new Smishing Simulation gives security teams a practical way to test how employees react to SMS-based phishing attempts. Rather than relying on theory, it lets companies create and send their own text-message campaigns safely, at scale.
The tool includes:
Customizable scenarios with control over content, domains, and link shorteners
Optional AI features to make messages feel authentic and context-aware
A straightforward interface that speeds up setup and simplifies reporting
Secure landing pages protected by an integrated web application firewall
The module runs on the same infrastructure that already powers Arsen’s phishing and vishing simulations. In practice, that means the same campaign logic, reporting accuracy, and reliability; now applied to the mobile environment.
Raising the Standard for Mobile Threat Awareness
After months of testing with early adopters, Arsen’s Smishing Simulation is now open to all customers.
First rolled out in the summer of 2025, the tool can be used on its own or paired with the rest of Arsen’s social engineering defense suite.
With this addition, Arsen’s clients can measure their true exposure to mobile phishing, replacing guesswork with concrete insights.
Arsen is a cybersecurity startup helping organizations build resilience against social engineering threats.
Its SaaS platform provides phishing, vishing, and smishing simulations that help organizations evaluate risk and train their teams to recognize real-world attacks.
Trusted by security teams across multiple sectors, Arsen’s technology reinforces the human layer of defense against ever-changing cyber threats.
For media inquiries, users can contact: marketing@arsen.co
Paris, France, October 24th, 2025, CyberNewsWire Arsen, the cybersecurity company dedicated to helping organizations defend against social engineering, today introduced its new Smishing Simulation module: a feature designed to let companies run realistic, large-scale SMS phishing simulations across their teams. Designed to address the growing wave of mobile-based attacks, the new module gives CISOs, MSSPs, […]
.webp)
.webp)