SIDEWINDER , the India-linked threat group, is expanding its espionage campaign across Southeast Asia, targeting governments, telecoms and critical infrastructure with spear-phishing, credential theft and rapid infrastructure churn to maintain persistent access, according to ITSEC Asia.
The researchers say the group—also referred to as RagaSerpent—started targeting Thailand in late 2025 and Indonesia earlier this year, and continues to reuse familiar techniques such as staged execution and frequent domain changes to shift geographic targets without changing its core malware toolkit.
Analysts describe a mix of simple intrusion methods with long-term access, noting that SideWinder relies on spear-phishing, stolen credentials and exploitation of long-patched vulnerabilities, including known Microsoft Office flaws and DLL hijacking, to gain initial access. The campaign’s post-exploitation activity is notable for a repeatable workflow around staged payload delivery, Windows service-based persistence, and rapid changes to its command-and-control infrastructure, allowing redeployments within hours.
Researchers such as Patrick Dannacher and Vasily Berdnikov of Kaspersky's GReAT caution that this convergence of tactics across regions increases risk, underscoring the need for defenders to block repeated SideWinder TTPs rather than rely solely on indicators of compromise, 18 March 2026. According to ITSEC Asia, the operators are pursuing sustained access to high-value environments across the region, not quick wins.