No Payload For You: Inside Sidewinder’s Selective Exploitation Strategy
Active since at least 2012, Sidewinder has carried out sustained and highly targeted espionage campaigns across Southeast Asia. Often labeled as unsophisticated, the group instead demonstrates strong operational discipline and a clear focus on precision targeting. In this presentation, we share new research into Sidewinder’s tooling, infrastructure, and delivery methods, based on recent campaigns targeting government ministries, military entities, public institutions, and financial organizations.
Through multi-stage spear-phishing, geofenced payload distribution, and sandbox evasion, Sidewinder ensures that only its intended victims receive the actual malware while analysts are left with nothing to work with. The group’s infrastructure fingerprints each request and generates unique payloads per victim, leaving minimal evidence behind.
Our investigation reveals highly customized intrusion chains, obfuscated shellcode, and staged malware deployed via trusted executables and DLL sideloading. We also explore potential overlaps with other regional APTs such as SideCopy and related clusters, highlighting shared techniques, tactics, and procedures.
Attendees will gain insights into Sidewinder’s evolving playbook, practical detection strategies, and a broader understanding of its place within the regional APT landscape.
Santiago Pontiroli – Acronis
Argentina
Lead Security Researcher (TRU)
Santiago Pontiroli is a cybersecurity expert focusing on threat intelligence efforts at Acronis as Lead Scurity Researcher of the Acronis Threat Research Unit (TRU). He specializes in analyzing nation-state actors, criminal organizations, and financially motivated threat groups, focusing on malware analysis, reverse engineering, and creating advanced detection capabilities.
Beyond his work at Acronis, Santiago is an active contributor to the cybersecurity community. He has authored articles and whitepapers and presented his research at renowned global conferences, including Virus Bulletin, CARO, Nuit du Hack, MITRE ATT&CK, BlueHat, 8.8, and ekoParty.