SideWinder's Shifting Sands: Click Once for Espionage

Date: 10/23/2025

Severity: Medium

Summary

The report details a 2025 cyber-espionage campaign by the SideWinder APT group, which targeted diplomatic entities across South Asia, including a European embassy in New Delhi and institutions in Sri Lanka, Pakistan, and Bangladesh. It highlights SideWinder’s evolution in tactics, moving beyond their traditional Microsoft Word-based exploits to a new PDF and ClickOnce-based infection chain. This shift demonstrates the group’s adaptability and technical sophistication in evading modern security defenses to continue intelligence-gathering operations in the region.

Indicators of Compromise (IOC) List

URLs/Domains

mos-gov-bd.snagdrive.com

mofa-gov-bd.filenest.live

www-treasury-gov-lk.snagdrive.com

www-parliament-lk.snagdrive.com

pubad-gov-lk.download-doc.net

pimec-paknavy.updates-installer.store

hajjmedicalteam.adobeglobal.com

cadetcollege.adobeglobal.com

hajjtraining2025.moragovt.net

cabinet-gov-pk.dytt888.net

adobe.pdf-downlod.com

exosel.info

ostcone.site

pmo-gov-pk.filenest.live

https://adobe.pdf-downlod.com/updates-b1139620/adobe-reader

https://pubad-gov-lk.download-doc.net/09c3c5c1/adobe-reader

https://pimec-paknavy.updates-installer.store/1/7ab8fb0a/adobe-reader

https://www-parliament-lk.snagdrive.com/e8147089/adobe-reader

https://cadetcollege.adobeglobal.com/registration/00198727/adobe-reader

https://adobe.pdf-downlod.com/4dfbdf2b_updates/adobe-reader

https://www-treasury-gov-lk.snagdrive.com/69570935/adobe-reader

https://hajjtraining2025.moragovt.net/2a12968d-schedule/adobe-reader

https://pubad-gov-lk.download-doc.net/41498067/adobe-reader

https://hajjmedicalteam.adobeglobal.com/bangladesh/73439525/adobe-reader

https://cabinet-gov-pk.dytt888.net/43098866-circular/adobe-reader

https://hajjmedicalteam.adobeglobal.com/bangladesh/85758038/adobe-reader

https://pubad-gov-lk.download-doc.net/8a24a2e6/adobe-reader

https://mos-gov-bd.snagdrive.com/b80873e7/adobe-reader

https://mofa-gov-bd.filenest.live/48686010/adobe-reader

https://mod-gov-bd.snagdrive.com/ce692827/adobe-reader

https://mofa-gov-bd.filenest.live/17070638/adobe-reader

https://mocat-gov-bd.filenest.live/88555949/adobe-reader

https://mofa-gov-bd.snagdrive.com/a18939fc/adobe-reader

https://mod-gov-bd.snagdrive.com/80097355/adobe-reader

https://mofa-gov-bd.filenest.live/9b156a35/adobe-reader

https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-d5187655/

https://mod-gov-bd.snagdrive.com/[8_random_hex_values]/adobe-reader

https://mos-gov-bd.snagdrive.com/[32_random_hex_values]/co/adobe-reader

https://mofa-gov-bd.filenest.live/[8_random_numeric_values]/adobe-reader

https://www-treasury-gov-lk.snagdrive.com/[8_random_numeric_values]/adobe-reader

https://www-parliament-lk.snagdrive.com/[8_random_hex_values]/adobe-reader

https://pubad-gov-lk.download-doc.net/[8_random_hex_values]/adobe-reader

https://pimec-paknavy.updates-installer.store/[8_random_hex_values]_1/Microsoft_License.rtf

https://pimec-paknavy.updates-installer.store/1/[8_random_hex_values]/adobe-reader

https://hajjmedicalteam.adobeglobal.com/bangladesh/[8_random_numeric_values]/adobe-reader

https://cadetcollege.adobeglobal.com/registration/[8_random_numeric_values]/adobe-reader

https://hajjtraining2025.moragovt.net/[8_random_hex_values]-schedule/adobe-reader

https://cabinet-gov-pk.dytt888.net/[8_random_numeric_values]-circular/adobe-reader

https://adobe.pdf-downlod.com/[8_random_hex_values]_updates/adobe-reader

https://adobe.pdf-downlod.com/updates-[8_random_hex_values]/adobe-reader

https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-[8_random_hex_values]/

https://pmo-gov-pk.filenest.live/[8_random_hex_values]-conflict

https://mos-gov-bd.snagdrive.com/[8_random_hex_values]

https://mofa-gov-bd.filenest.live/[8_random_numeric_values]

https://exosel.info/202/gYvXAIX6GGFkjJpAVSC5ls2CfMe66s8uwB1X5QZC/32349/17276/59fc0fdf

https://ostcone.site/202/q2cBahBKeA3vl6AijbYx1Mz9yAt5a1OvNHPv8api/32349/17303/88efad0d

Hash

06da4a5755a81785f68caf75cca2b7a41c3aa9b4af24d2bb93964abf87343869

09b96a2426f8ddcc20aa58a72ad147d410525f1a4a42835b7ece126211537b3b

0f407b9b1cffa88edfe5a439f316dd41eea2fc47ba24a8dd986a6ffe520cb66b

32febd24765e996c8f01f77f02b02af3e35914ea215f98fcf2054a15a5bb0262

341a21538b90c87b40e150967519a695f2c339befde232e2f3cd85caf6885803

4e984a01dee63ca0a7fb1efa42a483d2e378e8f87896c76788f11abe8ddeec3c

5f8cdb9a5000a4d4ab08255efb3bd0c074551df94ebff820510078b45ad0b9f1

7d51aba5a9bbad297c05a0a3b99aa32af354b45ad2e99191fe0e611c9f44dfa4

8183a28cc1d962c173d5a63d1b61acafd995e6f0c4f595d6f0e43988b88c480b

81dda6e8d6835980aaa3fa26b1ee4a8d7931fea7c33caf5f639a1057ad39add1

84ddd27b18b7401fd46149c60b0fff4ea0f01ba8668649dc246769784bc7a00d

aaf08583c38289e617cfaae8bd42aa4ce48a0d7c9e401e9cb4cbfa6fb65e4935

f6e54fd80aa4f8b779f2fb85466c7e6d4f9c2dbd0a79d0d8e9d1f275654e51c5

36f7db22dbd834d0bbffbd1c7647101604054a2d1595ea0baf106a4da7d5fefb

54ef2aaeeb850c07cf3e01754478da2b8947b7188e1aabc8dd7eb54c78b55bd1

632d1e049e74e3cc34f01fa7d4b4e18e8679636eb58e38756b8ed0314a861a02

aa7c242c325528bbb6184a603b4b0ae2b67711b774e2400f1fe086e0d5eb66bc

65125a51edf9e2ab776bc041b77267dc04045bf4f6df03138494966cee9f5a54

c67ee29964506676bde38e7732e720078abdb0adebc743a367a5d9a1215f5020

be4916940676befe86749c8a9b156346fa80ce6c0a341ab59dfd49344ef8162b

71409564792f503c4ec6c5000d98ac4a97a153d4c16cc6f6528c136271bc8ed8

dd30478a1f2e822d3e9be536ca249e1c677ccaf1106fb9a9f41003e2bb609d09

39eba7eeadab00b4552cc42550dd285f7b3c5fbf451634ce0f6458d61d0b1aed

e4d494948ce5c81e600ca36d3c35007f371cceef7e2c16addf2668bed1533efb

f022b5b6ef036bed3c4e4fef2dc8a703cd51146cf449c0be48fa963a62eba752

a28135ad1294328cbf0b200f7fa4ad7a0691bd80fb87e88b348c396fa652aa10

d2c8d33ea2d855bc9cd52d3a4d312c81f848c4f5afb9414ee90b036f3f27a4a4

6226704e0cbe5b17c50bfbdb79912028137abf1f0f918fd455d9a71ed4478fcf

f4f851ed2a972e2c90ea20a1d8a2421111264022700caab82e42b89e80bc321a

ce72830bc037680d9ef50d328f3776d2bddf5aaffd077d2d884efafa3e30ee70

3ffc09dda86b9c78028f20d5447616c4e60f7c70e2f3cabcc05c77ee8a92f7ce

e091d16488b1b638a2c0013e761d341a04728de4de4388827e62f8c039f77fbc

e5cd4c5e6c35c07b7d1a078ed801a5676d529d41dcbecacd13f744b2c79fe46d

52602351cf896d44156016e44e2342d4eb75140b7415eaab3f629636d315fb1a

8435f374161bcf63175e34fc331957c2661d2e83bbd55675b3a103a5cc2ed7c5

d4c746c27873a016c7d3d6d00400c60824afd1cd69840a76873096cbadb23a48

2d988506cf300236b57744d16adea07525d7b709a0fbf181810143d89aa55017

635e8abd8ce13a985229e5a0269096a272beef15307333f63cbc95cd13a71e88

65bc2a15dd4201ddcec44cd02cfeea16c7734a0bd009c977ca5a3c6738c57ae6

c5c07c258ceb91ccba50428dc81c87f5eb0bb13dd6abde82811baa56d1be60fc

cf739fe6621968e2fd7d1ce4a7c513bf4b994a66f33bbc9b53b26672046aa77e

a8b4fcfed3dc3b25e5b9ad34c9f6909f4cc4bedb4606416a672d1a39976e1c5d

8d85e13eb217dde0b1c770743b1e9d033ff3c6d26186d70ffb0e9246ffc2dc6f

c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6

09cfec5b9cc3ef5939287fdb8b1bcb9a8a7185e45ef587a96f35744c02c0f03c

b06aa054491e7b07f54edced19ff648322427b8f5cfa6b46656667c9b40b7215

31c7381c90b852b4cb858a4fb0a548f7c38ea134eb49a679a83ae2de9f8d98e2

922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6

56220142f616d5fffacad4e83b3262e0499e96dcdf99fbb6b81cd9178ef97ced

4d394319bf9952217aab6d5fc5603abeb3a6e06f6026ff80ec5fa5d02b08cd66

b97c5ed08e5072bf7fdf44864c942657dfcaa8c3f4627698e0b87f773d04cd15

892089dc7e4af5ee4a89a2fd3083e6843ce7bffc94003d233063ba23d779a314

2ff1eb3d23b32169d5f07b5c4df6ec9a20b543255a3af4c92de2c322455746a9

Emails

ds.plann2@mos.gov.bd.pk-mail.org

d17@mod.gov.bd.pk-mail.org

p2@mofa.gov.bd.pk-mail.org

asresearch@mofa.gov.bd.pk-mail.org

js.admn@pmo.gov.pk-mail.org

mau@mofa.gov.bd.pk-mail.org

secretary@mocat.gov.bd.pk-mail.org

pc2@mod.gov.bd.pk-mail.org

d11@mod.gov.bd.pk-mail.org

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "https://pubad-gov-lk.download-doc.net/41498067/adobe-reader" or siteurl like "https://pubad-gov-lk.download-doc.net/41498067/adobe-reader" or url like "https://pubad-gov-lk.download-doc.net/41498067/adobe-reader" or domainname like "ostcone.site" or siteurl like "ostcone.site" or url like "ostcone.site" or domainname like "https://adobe.pdf-downlod.com/updates-b1139620/adobe-reader" or siteurl like "https://adobe.pdf-downlod.com/updates-b1139620/adobe-reader" or url like "https://adobe.pdf-downlod.com/updates-b1139620/adobe-reader" or domainname like "https://hajjtraining2025.moragovt.net/2a12968d-schedule/adobe-reader" or siteurl like "https://hajjtraining2025.moragovt.net/2a12968d-schedule/adobe-reader" or url like "https://hajjtraining2025.moragovt.net/2a12968d-schedule/adobe-reader" or domainname like "pimec-paknavy.updates-installer.store" or siteurl like "pimec-paknavy.updates-installer.store" or url like "pimec-paknavy.updates-installer.store" or domainname like "https://pubad-gov-lk.download-doc.net/09c3c5c1/adobe-reader" or siteurl like "https://pubad-gov-lk.download-doc.net/09c3c5c1/adobe-reader" or url like "https://pubad-gov-lk.download-doc.net/09c3c5c1/adobe-reader" or domainname like "https://pubad-gov-lk.download-doc.net/8a24a2e6/adobe-reader" or siteurl like "https://pubad-gov-lk.download-doc.net/8a24a2e6/adobe-reader" or url like "https://pubad-gov-lk.download-doc.net/8a24a2e6/adobe-reader" or domainname like "hajjmedicalteam.adobeglobal.com" or siteurl like "hajjmedicalteam.adobeglobal.com" or url like "hajjmedicalteam.adobeglobal.com" or domainname like "pubad-gov-lk.download-doc.net" or siteurl like "pubad-gov-lk.download-doc.net" or url like "pubad-gov-lk.download-doc.net" or domainname like "adobe.pdf-downlod.com" or siteurl like "adobe.pdf-downlod.com" or url like "adobe.pdf-downlod.com" or domainname like "exosel.info" or siteurl like "exosel.info" or url like "exosel.info" or domainname like "https://www-parliament-lk.snagdrive.com/e8147089/adobe-reader" or siteurl like "https://www-parliament-lk.snagdrive.com/e8147089/adobe-reader" or url like "https://www-parliament-lk.snagdrive.com/e8147089/adobe-reader" or domainname like "https://hajjmedicalteam.adobeglobal.com/bangladesh/73439525/adobe-reader" or siteurl like "https://hajjmedicalteam.adobeglobal.com/bangladesh/73439525/adobe-reader" or url like "https://hajjmedicalteam.adobeglobal.com/bangladesh/73439525/adobe-reader" or domainname like "cadetcollege.adobeglobal.com" or siteurl like "cadetcollege.adobeglobal.com" or url like "cadetcollege.adobeglobal.com" or domainname like "https://pimec-paknavy.updates-installer.store/1/7ab8fb0a/adobe-reader" or siteurl like "https://pimec-paknavy.updates-installer.store/1/7ab8fb0a/adobe-reader" or url like "https://pimec-paknavy.updates-installer.store/1/7ab8fb0a/adobe-reader" or domainname like "https://cadetcollege.adobeglobal.com/registration/00198727/adobe-reader" or siteurl like "https://cadetcollege.adobeglobal.com/registration/00198727/adobe-reader" or url like "https://cadetcollege.adobeglobal.com/registration/00198727/adobe-reader" or domainname like "https://adobe.pdf-downlod.com/4dfbdf2b_updates/adobe-reader" or siteurl like "https://adobe.pdf-downlod.com/4dfbdf2b_updates/adobe-reader" or url like "https://adobe.pdf-downlod.com/4dfbdf2b_updates/adobe-reader" or domainname like "https://www-treasury-gov-lk.snagdrive.com/69570935/adobe-reader" or siteurl like "https://www-treasury-gov-lk.snagdrive.com/69570935/adobe-reader" or url like "https://www-treasury-gov-lk.snagdrive.com/69570935/adobe-reader" or domainname like "https://cabinet-gov-pk.dytt888.net/43098866-circular/adobe-reader" or siteurl like "https://cabinet-gov-pk.dytt888.net/43098866-circular/adobe-reader" or url like "https://cabinet-gov-pk.dytt888.net/43098866-circular/adobe-reader" or domainname like "https://hajjmedicalteam.adobeglobal.com/bangladesh/85758038/adobe-reader" or siteurl like "https://hajjmedicalteam.adobeglobal.com/bangladesh/85758038/adobe-reader" or url like "https://hajjmedicalteam.adobeglobal.com/bangladesh/85758038/adobe-reader" or domainname like "https://mos-gov-bd.snagdrive.com/b80873e7/adobe-reader" or siteurl like "https://mos-gov-bd.snagdrive.com/b80873e7/adobe-reader" or url like "https://mos-gov-bd.snagdrive.com/b80873e7/adobe-reader" or domainname like "https://mofa-gov-bd.filenest.live/48686010/adobe-reader" or siteurl like "https://mofa-gov-bd.filenest.live/48686010/adobe-reader" or url like "https://mofa-gov-bd.filenest.live/48686010/adobe-reader" or domainname like "https://mod-gov-bd.snagdrive.com/ce692827/adobe-reader" or siteurl like "https://mod-gov-bd.snagdrive.com/ce692827/adobe-reader" or url like "https://mod-gov-bd.snagdrive.com/ce692827/adobe-reader" or domainname like "https://mofa-gov-bd.filenest.live/17070638/adobe-reader" or siteurl like "https://mofa-gov-bd.filenest.live/17070638/adobe-reader" or url like "https://mofa-gov-bd.filenest.live/17070638/adobe-reader" or domainname like "https://mocat-gov-bd.filenest.live/88555949/adobe-reader" or siteurl like "https://mocat-gov-bd.filenest.live/88555949/adobe-reader" or url like "https://mocat-gov-bd.filenest.live/88555949/adobe-reader" or domainname like "https://mofa-gov-bd.snagdrive.com/a18939fc/adobe-reader" or siteurl like "https://mofa-gov-bd.snagdrive.com/a18939fc/adobe-reader" or url like "https://mofa-gov-bd.snagdrive.com/a18939fc/adobe-reader" or domainname like "https://mod-gov-bd.snagdrive.com/80097355/adobe-reader" or siteurl like "https://mod-gov-bd.snagdrive.com/80097355/adobe-reader" or url like "https://mod-gov-bd.snagdrive.com/80097355/adobe-reader" or domainname like "https://mofa-gov-bd.filenest.live/9b156a35/adobe-reader" or siteurl like "https://mofa-gov-bd.filenest.live/9b156a35/adobe-reader" or url like "https://mofa-gov-bd.filenest.live/9b156a35/adobe-reader" or domainname like "https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-d5187655/" or siteurl like "https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-d5187655/" or url like "https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-d5187655/" or domainname like "https://mod-gov-bd.snagdrive.com/[8_random_hex_values]/adobe-reader" or siteurl like "https://mod-gov-bd.snagdrive.com/[8_random_hex_values]/adobe-reader" or url like "https://mod-gov-bd.snagdrive.com/[8_random_hex_values]/adobe-reader" or domainname like "https://mos-gov-bd.snagdrive.com/[32_random_hex_values]/co/adobe-reader" or siteurl like "https://mos-gov-bd.snagdrive.com/[32_random_hex_values]/co/adobe-reader" or url like "https://mos-gov-bd.snagdrive.com/[32_random_hex_values]/co/adobe-reader" or domainname like "https://mofa-gov-bd.filenest.live/[8_random_numeric_values]/adobe-reader" or siteurl like "https://mofa-gov-bd.filenest.live/[8_random_numeric_values]/adobe-reader" or url like "https://mofa-gov-bd.filenest.live/[8_random_numeric_values]/adobe-reader" or domainname like "https://www-treasury-gov-lk.snagdrive.com/[8_random_numeric_values]/adobe-reader" or siteurl like "https://www-treasury-gov-lk.snagdrive.com/[8_random_numeric_values]/adobe-reader" or url like "https://www-treasury-gov-lk.snagdrive.com/[8_random_numeric_values]/adobe-reader"
Detection Query 2 :	domainname like "https://www-parliament-lk.snagdrive.com/[8_random_hex_values]/adobe-reader" or siteurl like "https://www-parliament-lk.snagdrive.com/[8_random_hex_values]/adobe-reader" or url like "https://www-parliament-lk.snagdrive.com/[8_random_hex_values]/adobe-reader" or domainname like "https://pubad-gov-lk.download-doc.net/[8_random_hex_values]/adobe-reader" or siteurl like "https://pubad-gov-lk.download-doc.net/[8_random_hex_values]/adobe-reader" or url like "https://pubad-gov-lk.download-doc.net/[8_random_hex_values]/adobe-reader" or domainname like "https://pimec-paknavy.updates-installer.store/[8_random_hex_values]_1/Microsoft_License.rtf" or siteurl like "https://pimec-paknavy.updates-installer.store/[8_random_hex_values]_1/Microsoft_License.rtf" or url like "https://pimec-paknavy.updates-installer.store/[8_random_hex_values]_1/Microsoft_License.rtf" or domainname like "https://pimec-paknavy.updates-installer.store/1/[8_random_hex_values]/adobe-reader" or siteurl like "https://pimec-paknavy.updates-installer.store/1/[8_random_hex_values]/adobe-reader" or url like "https://pimec-paknavy.updates-installer.store/1/[8_random_hex_values]/adobe-reader" or domainname like "https://hajjmedicalteam.adobeglobal.com/bangladesh/[8_random_numeric_values]/adobe-reader" or siteurl like "https://hajjmedicalteam.adobeglobal.com/bangladesh/[8_random_numeric_values]/adobe-reader" or url like "https://hajjmedicalteam.adobeglobal.com/bangladesh/[8_random_numeric_values]/adobe-reader" or domainname like "https://cadetcollege.adobeglobal.com/registration/[8_random_numeric_values]/adobe-reader" or siteurl like "https://cadetcollege.adobeglobal.com/registration/[8_random_numeric_values]/adobe-reader" or url like "https://cadetcollege.adobeglobal.com/registration/[8_random_numeric_values]/adobe-reader" or domainname like "https://hajjtraining2025.moragovt.net/[8_random_hex_values]-schedule/adobe-reader" or siteurl like "https://hajjtraining2025.moragovt.net/[8_random_hex_values]-schedule/adobe-reader" or url like "https://hajjtraining2025.moragovt.net/[8_random_hex_values]-schedule/adobe-reader" or domainname like "https://cabinet-gov-pk.dytt888.net/[8_random_numeric_values]-circular/adobe-reader" or siteurl like "https://cabinet-gov-pk.dytt888.net/[8_random_numeric_values]-circular/adobe-reader" or url like "https://cabinet-gov-pk.dytt888.net/[8_random_numeric_values]-circular/adobe-reader" or domainname like "https://adobe.pdf-downlod.com/[8_random_hex_values]_updates/adobe-reader" or siteurl like "https://adobe.pdf-downlod.com/[8_random_hex_values]_updates/adobe-reader" or url like "https://adobe.pdf-downlod.com/[8_random_hex_values]_updates/adobe-reader" or domainname like "https://adobe.pdf-downlod.com/updates-[8_random_hex_values]/adobe-reader" or siteurl like "https://adobe.pdf-downlod.com/updates-[8_random_hex_values]/adobe-reader" or url like "https://adobe.pdf-downlod.com/updates-[8_random_hex_values]/adobe-reader" or domainname like "https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-[8_random_hex_values]/" or siteurl like "https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-[8_random_hex_values]/" or url like "https://pmo-gov-pk.filenest.live/17316/1/32349/2/32/0/0/m/files-[8_random_hex_values]/" or domainname like "https://pmo-gov-pk.filenest.live/[8_random_hex_values]-conflict" or siteurl like "https://pmo-gov-pk.filenest.live/[8_random_hex_values]-conflict" or url like "https://pmo-gov-pk.filenest.live/[8_random_hex_values]-conflict" or domainname like "https://mos-gov-bd.snagdrive.com/[8_random_hex_values]" or siteurl like "https://mos-gov-bd.snagdrive.com/[8_random_hex_values]" or url like "https://mos-gov-bd.snagdrive.com/[8_random_hex_values]" or domainname like "https://mofa-gov-bd.filenest.live/[8_random_numeric_values]" or siteurl like "https://mofa-gov-bd.filenest.live/[8_random_numeric_values]" or url like "https://mofa-gov-bd.filenest.live/[8_random_numeric_values]" or domainname like "https://exosel.info/202/gYvXAIX6GGFkjJpAVSC5ls2CfMe66s8uwB1X5QZC/32349/17276/59fc0fdf" or siteurl like "https://exosel.info/202/gYvXAIX6GGFkjJpAVSC5ls2CfMe66s8uwB1X5QZC/32349/17276/59fc0fdf" or url like "https://exosel.info/202/gYvXAIX6GGFkjJpAVSC5ls2CfMe66s8uwB1X5QZC/32349/17276/59fc0fdf" or domainname like "https://ostcone.site/202/q2cBahBKeA3vl6AijbYx1Mz9yAt5a1OvNHPv8api/32349/17303/88efad0d" or siteurl like "https://ostcone.site/202/q2cBahBKeA3vl6AijbYx1Mz9yAt5a1OvNHPv8api/32349/17303/88efad0d" or url like "https://ostcone.site/202/q2cBahBKeA3vl6AijbYx1Mz9yAt5a1OvNHPv8api/32349/17303/88efad0d" or domainname like "mos-gov-bd.snagdrive.com" or siteurl like "mos-gov-bd.snagdrive.com" or url like "mos-gov-bd.snagdrive.com" or domainname like "mofa-gov-bd.filenest.live" or siteurl like "mofa-gov-bd.filenest.live" or url like "mofa-gov-bd.filenest.live" or domainname like "www-treasury-gov-lk.snagdrive.com" or siteurl like "www-treasury-gov-lk.snagdrive.com" or url like "www-treasury-gov-lk.snagdrive.com" or domainname like "www-parliament-lk.snagdrive.com" or siteurl like "www-parliament-lk.snagdrive.com" or url like "www-parliament-lk.snagdrive.com" or domainname like "hajjtraining2025.moragovt.net" or siteurl like "hajjtraining2025.moragovt.net" or url like "hajjtraining2025.moragovt.net" or domainname like "cabinet-gov-pk.dytt888.net" or siteurl like "cabinet-gov-pk.dytt888.net" or url like "cabinet-gov-pk.dytt888.net" or domainname like "pmo-gov-pk.filenest.live" or siteurl like "pmo-gov-pk.filenest.live" or url like "pmo-gov-pk.filenest.live"
Detection Query 3 :	sha256hash IN ("341a21538b90c87b40e150967519a695f2c339befde232e2f3cd85caf6885803","84ddd27b18b7401fd46149c60b0fff4ea0f01ba8668649dc246769784bc7a00d","32febd24765e996c8f01f77f02b02af3e35914ea215f98fcf2054a15a5bb0262","09b96a2426f8ddcc20aa58a72ad147d410525f1a4a42835b7ece126211537b3b","8183a28cc1d962c173d5a63d1b61acafd995e6f0c4f595d6f0e43988b88c480b","06da4a5755a81785f68caf75cca2b7a41c3aa9b4af24d2bb93964abf87343869","4e984a01dee63ca0a7fb1efa42a483d2e378e8f87896c76788f11abe8ddeec3c","0f407b9b1cffa88edfe5a439f316dd41eea2fc47ba24a8dd986a6ffe520cb66b","5f8cdb9a5000a4d4ab08255efb3bd0c074551df94ebff820510078b45ad0b9f1","7d51aba5a9bbad297c05a0a3b99aa32af354b45ad2e99191fe0e611c9f44dfa4","81dda6e8d6835980aaa3fa26b1ee4a8d7931fea7c33caf5f639a1057ad39add1","aaf08583c38289e617cfaae8bd42aa4ce48a0d7c9e401e9cb4cbfa6fb65e4935","f6e54fd80aa4f8b779f2fb85466c7e6d4f9c2dbd0a79d0d8e9d1f275654e51c5","36f7db22dbd834d0bbffbd1c7647101604054a2d1595ea0baf106a4da7d5fefb","54ef2aaeeb850c07cf3e01754478da2b8947b7188e1aabc8dd7eb54c78b55bd1","632d1e049e74e3cc34f01fa7d4b4e18e8679636eb58e38756b8ed0314a861a02","aa7c242c325528bbb6184a603b4b0ae2b67711b774e2400f1fe086e0d5eb66bc","65125a51edf9e2ab776bc041b77267dc04045bf4f6df03138494966cee9f5a54","c67ee29964506676bde38e7732e720078abdb0adebc743a367a5d9a1215f5020","be4916940676befe86749c8a9b156346fa80ce6c0a341ab59dfd49344ef8162b","71409564792f503c4ec6c5000d98ac4a97a153d4c16cc6f6528c136271bc8ed8","dd30478a1f2e822d3e9be536ca249e1c677ccaf1106fb9a9f41003e2bb609d09","39eba7eeadab00b4552cc42550dd285f7b3c5fbf451634ce0f6458d61d0b1aed","e4d494948ce5c81e600ca36d3c35007f371cceef7e2c16addf2668bed1533efb","f022b5b6ef036bed3c4e4fef2dc8a703cd51146cf449c0be48fa963a62eba752","a28135ad1294328cbf0b200f7fa4ad7a0691bd80fb87e88b348c396fa652aa10","d2c8d33ea2d855bc9cd52d3a4d312c81f848c4f5afb9414ee90b036f3f27a4a4","6226704e0cbe5b17c50bfbdb79912028137abf1f0f918fd455d9a71ed4478fcf","f4f851ed2a972e2c90ea20a1d8a2421111264022700caab82e42b89e80bc321a","ce72830bc037680d9ef50d328f3776d2bddf5aaffd077d2d884efafa3e30ee70","3ffc09dda86b9c78028f20d5447616c4e60f7c70e2f3cabcc05c77ee8a92f7ce","e091d16488b1b638a2c0013e761d341a04728de4de4388827e62f8c039f77fbc","e5cd4c5e6c35c07b7d1a078ed801a5676d529d41dcbecacd13f744b2c79fe46d","52602351cf896d44156016e44e2342d4eb75140b7415eaab3f629636d315fb1a","8435f374161bcf63175e34fc331957c2661d2e83bbd55675b3a103a5cc2ed7c5","d4c746c27873a016c7d3d6d00400c60824afd1cd69840a76873096cbadb23a48","2d988506cf300236b57744d16adea07525d7b709a0fbf181810143d89aa55017","635e8abd8ce13a985229e5a0269096a272beef15307333f63cbc95cd13a71e88","65bc2a15dd4201ddcec44cd02cfeea16c7734a0bd009c977ca5a3c6738c57ae6","c5c07c258ceb91ccba50428dc81c87f5eb0bb13dd6abde82811baa56d1be60fc","cf739fe6621968e2fd7d1ce4a7c513bf4b994a66f33bbc9b53b26672046aa77e","a8b4fcfed3dc3b25e5b9ad34c9f6909f4cc4bedb4606416a672d1a39976e1c5d","8d85e13eb217dde0b1c770743b1e9d033ff3c6d26186d70ffb0e9246ffc2dc6f","c1093860c1e5e04412d8509ce90568713fc56a0d5993bfdb7386d8dc5e2487b6","09cfec5b9cc3ef5939287fdb8b1bcb9a8a7185e45ef587a96f35744c02c0f03c","b06aa054491e7b07f54edced19ff648322427b8f5cfa6b46656667c9b40b7215","31c7381c90b852b4cb858a4fb0a548f7c38ea134eb49a679a83ae2de9f8d98e2","922bb79cbb76f2b51d5709500d87a55142a38368b4289fb5b45c1318c6a31cf6","56220142f616d5fffacad4e83b3262e0499e96dcdf99fbb6b81cd9178ef97ced","4d394319bf9952217aab6d5fc5603abeb3a6e06f6026ff80ec5fa5d02b08cd66","b97c5ed08e5072bf7fdf44864c942657dfcaa8c3f4627698e0b87f773d04cd15","892089dc7e4af5ee4a89a2fd3083e6843ce7bffc94003d233063ba23d779a314","2ff1eb3d23b32169d5f07b5c4df6ec9a20b543255a3af4c92de2c322455746a9")
Detection Query 4 :	senderdomain IN ("ds.plann2@mos.gov.bd.pk-mail.org","d17@mod.gov.bd.pk-mail.org","p2@mofa.gov.bd.pk-mail.org","asresearch@mofa.gov.bd.pk-mail.org","js.admn@pmo.gov.pk-mail.org","mau@mofa.gov.bd.pk-mail.org","secretary@mocat.gov.bd.pk-mail.org","pc2@mod.gov.bd.pk-mail.org","d11@mod.gov.bd.pk-mail.org") or recipientdomain IN ("ds.plann2@mos.gov.bd.pk-mail.org","d17@mod.gov.bd.pk-mail.org","p2@mofa.gov.bd.pk-mail.org","asresearch@mofa.gov.bd.pk-mail.org","js.admn@pmo.gov.pk-mail.org","mau@mofa.gov.bd.pk-mail.org","secretary@mocat.gov.bd.pk-mail.org","pc2@mod.gov.bd.pk-mail.org","d11@mod.gov.bd.pk-mail.org") or from IN ("ds.plann2@mos.gov.bd.pk-mail.org","d17@mod.gov.bd.pk-mail.org","p2@mofa.gov.bd.pk-mail.org","asresearch@mofa.gov.bd.pk-mail.org","js.admn@pmo.gov.pk-mail.org","mau@mofa.gov.bd.pk-mail.org","secretary@mocat.gov.bd.pk-mail.org","pc2@mod.gov.bd.pk-mail.org","d11@mod.gov.bd.pk-mail.org")

Reference:

https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/

SideWinder's Shifting Sands: Click Once for Espionage

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

SideWinder's Shifting Sands: Click Once for Espionage

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments