One Hash, One Typo, and a New Front: How SideWinder Brought Its Espionage Machine to the Caucasus

A single MD5 hash and a filename. That's what researcher @salmanvsf posted -- d2829da8996be9a6e374dd6d94bbbf39, 11.docx, and the beginning of a C2 domain referencing Azerbaijan-Russia diplomacy. It looked like routine malware sharing. It wasn't.

Behind that hash was a SideWinder APT command-and-control domain hosting four simultaneous espionage campaigns, a geographic expansion into the Caucasus, and a typo that proved the operators were rushing.

The Domain Nobody Had Seen

The DOCX file exploits CVE-2017-0199 to fetch a remote template from internal-advisory-azerbaijan-russia-diplomatic-crisis[.]defence-np[.]net. The parent domain -- defence-np[.]net -- impersonates Nepal's defense establishment, consistent with SideWinder's long history of government domain mimicry.

We checked every major vendor report: Kaspersky's 2024 SideWinder analysis (which catalogued 400+ domains), Acronis, Picus, Trellix, Cyberstash, Security Affairs. defence-np[.]net appears in none of them. The sample and C2 domain were first shared publicly by @salmanvsf in November 2025. The infrastructure mapping, campaign enumeration, and detection rules presented here are new analysis.

The domain was registered January 16, 2025 via Spaceship Inc with Withheld for Privacy ehf (Iceland) -- a registrar choice that breaks SideWinder's usual pattern of Hostinger and Namecheap. It expired January 2026 and is now in pendingDelete, but the campaign was operationally active through at least November 2025 based on VirusTotal sandbox timestamps.

Four Campaigns, One Domain

A wildcard Let's Encrypt certificate issued September 17, 2025 covered *.defence-np[.]net, enabling unlimited subdomain campaigns without additional certificate transparency log exposure. We identified four:

Subdomain	Target
internal-advisory-azerbaijan-russia-diplomatic-crisis	Azerbaijan-Russia diplomatic targeting
internal-advisory-azerbaijan-russia-dialomatic-crisis	Typo variant -- "dialomatic" instead of "diplomatic"
updated-telephone-directory	Government telephone directory lure
nomination-volunteers-training-courses-china	China-related volunteer training

The first two target the same audience with the same lure -- one with a spelling error the operator never caught. This isn't strategic redundancy. It's a mistake, left running because nobody on the SideWinder team reviewed the infrastructure before deploying it. The third and fourth subdomains reveal that this single domain served as a multi-target platform for at least three distinct intelligence collection objectives.

The Attack Chain

The infection follows SideWinder's documented playbook, but the execution is polished:

Spearphishing email with 11.docx (30 KB)
  → CVE-2017-0199: Remote template injection
    → HTTPS fetch from defence-np[.]net subdomain
      → Font_Updates.rtf delivered (CVE-2017-11882: Equation Editor exploit)
        → Shellcode → mshta.exe → .NET downloader
          → DLL sideloading via legitimate signed binary
            → StealerBot (modular, in-memory espionage framework)

The 2017 CVEs are ancient, but SideWinder has used this exact chain for years because it works. Organizations that haven't patched Equation Editor -- or that run legacy Office versions -- remain vulnerable. The RTF delivery includes server-side geofencing (likely IP-based victim filtering) and User-Agent validation requiring legitimate Microsoft Office strings, ensuring that sandboxes and researchers receive decoy content or 404s.

StealerBot: The Payload That Justifies the Chain

SideWinder's exclusive post-exploitation framework deploys entirely in memory. The modules recovered across SideWinder campaigns include:

• Keylogger (Module 0xca) -- SetWindowsHookEx interception
• Live Console (Module 0xcb) -- reverse shell access
• Screenshot Grabber (Module 0xd0) -- periodic screen capture
• File Stealer (Module 0xd4) -- targets .ppk, .doc, .docx, .xls, .xlsx, .ppt, .zip, .pdf
• UAC Bypass (Module 0xd6) -- CMSTP and IElevatedFactoryServer COM exploitation
• RDP Credential Stealer (Module 0xe0) -- mstsc.exe injection
• Token Grabber (Module 0xe1) -- Chrome cookies, Facebook, LinkedIn, Google sessions
• Credential Phisher -- GUI spoof via CredUIPromptForWindowsCredentialsW

For a diplomatic target, the file stealer and credential modules are the priority. .ppk files (PuTTY private keys) are specifically targeted -- a detail that suggests the operators know their targets use SSH for secure communications.

The Shared Artifact That Links 60+ Campaigns

Every SideWinder campaign drops the same 8-byte decoy RTF after the real exploit fires. SHA256: 1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a. It has appeared under dozens of names -- Font_Updates.rtf, Accept_EULA.rtf, Microsoft_License.rtf, MSFT_CLD_Font.rtf, Office.rtf, Profile.rtf -- across every documented SideWinder operation.

This artifact provides definitive campaign linking. Any DOCX that fetches a remote RTF and drops this exact hash is SideWinder. Microsoft's own detection signature confirms it: TrojanDownloader:O97M/Sidewinder!AMTB.

Infrastructure Shift

SideWinder's infrastructure choices here deviate from their established patterns:

Aspect	Historical	This Campaign
Registrar	Hostinger, Namecheap	Spaceship Inc
Hosting	HZ Hosting, BlueVPS, GhostNET	AWS us-west-2 behind Cloudflare
Privacy	Various	Withheld for Privacy ehf (Iceland)

The move to AWS behind Cloudflare is significant. It provides better uptime, DDoS protection, and IP reputation than the bulletproof hosting SideWinder typically favors. The Cloudflare layer also complicates infrastructure takedown -- the actual origin servers at 52.38.196[.]63 and 44.233.250[.]75 (both AWS Oregon) are hidden behind Cloudflare's anycast IPs.

Whether this represents an operational evolution or a one-off experiment remains to be seen. If SideWinder is migrating to legitimate cloud infrastructure behind CDN proxies, the traditional infrastructure-hunting approach that has yielded 400+ domain discoveries will become significantly harder.

Why Azerbaijan-Russia?

SideWinder is attributed to India with high confidence. India maintains strategic partnerships with both Azerbaijan and Russia, making intelligence on their bilateral relations -- particularly during the 2025 diplomatic crisis over the alleged Russian strike on Azerbaijan's embassy in Kyiv -- a high-value collection target.

This campaign represents SideWinder's first documented targeting of Caucasus/CIS diplomatic communications. Their previous geographic scope was limited to South Asia (Pakistan, Sri Lanka, Bangladesh, Nepal, Bhutan), MENA (Egypt, Turkey, Saudi Arabia), maritime and logistics sectors, and more recently, nuclear energy organizations. The Azerbaijan-Russia targeting is a meaningful expansion of their intelligence collection mandate.

Detection

YARA

Five detection rules covering the DOCX remote template injection (CVE-2017-0199 with defence-np[.]net indicators), the shared 8-byte decoy RTF campaign linker, and the SideWinder C2 URL path pattern are available on our GitHub:

• STIX Bundle
• IOCs by investigation
• All YARA rules
• All Suricata rules
• Full IOC feed (JSON)

Network

Eleven Suricata signatures detecting defence-np[.]net communications, the Font_Updates.rtf payload fetch, the numeric C2 URL path structure, and the distinctive Microsoft Office Protocol Discovery User-Agent strings are published alongside this report.

Hunt Queries

Search for:

• Equation Editor child processes: EQNEDT32.EXE spawning cmd.exe or mshta.exe
• StealerBot persistence: srclink service, sideloaded DLLs (propsys.dll, devobj.dll, vsstrace.dll, winmm.dll)
• C2 URL path pattern in proxy logs: /NNNN/N/NNNNN/N/NN/N/N/m/
• Email attachments matching 11.docx SHA256 hashes

Indicators of Compromise

Network Indicators

• defence-np[.]net
• internal-advisory-azerbaijan-russia-diplomatic-crisis[.]defence-np[.]net
• internal-advisory-azerbaijan-russia-dialomatic-crisis[.]defence-np[.]net
• updated-telephone-directory[.]defence-np[.]net
• nomination-volunteers-training-courses-china[.]defence-np[.]net
• 52[.]38[.]196[.]63 (AWS us-west-2, Cloudflare origin)
• 44[.]233[.]250[.]75 (AWS us-west-2, Cloudflare origin)

File Indicators

SHA256	File
f69708c769f3d34fc0798257b472cc48770208b6862ea3e6540d12b9f23f9cdf	11.docx (primary)
7b5d44a88f1dfbf8c8b1a933cde2c04e4e20d4a3b9375a65c4a23cd077a0e587	11.docx (variant)
1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a	Shared decoy RTF (campaign linker)

---

Investigation conducted autonomously by Breakglass Intelligence's offensive OSINT platform. From one hash to four campaigns, a geographic expansion, and a typo the operators never caught. One indicator, total infrastructure.

h/t @salmanvsf for the initial IOC.