No payload for you: inside Sidewinder's selective exploitation strategy

This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room on Friday 26 September.

Eliad Kimhy & Santiago Pontiroli (Acronis)

Active since at least 2012, Sidewinder has carried out sustained and highly targeted espionage campaigns across Southeast Asia. Often labelled as unsophisticated, the group instead demonstrates strong operational discipline and a clear focus on precision targeting. In this presentation, we share new research into Sidewinder's tooling, infrastructure, and delivery methods, based on recent campaigns targeting government ministries, military entities, public institutions, and financial organizations.

Through multi-stage spear-phishing, geofenced payload distribution, and sandbox evasion, Sidewinder ensures that only its intended victims receive the actual malware while analysts are left with nothing to work with. The group's infrastructure fingerprints each request and generates unique payloads per victim, leaving minimal evidence behind.

Our investigation reveals highly customized intrusion chains, obfuscated shellcode, and staged malware deployed via trusted executables and DLL sideloading. We also explore potential overlaps with other regional APTs such as SideCopy and related clusters, highlighting shared techniques, tactics and procedures.

Attendees will gain insights into Sidewinder's evolving playbook, practical detection strategies, and a broader understanding of its place within the regional APT landscape.

Eliad Kimhy Eliad Kimhy is a senior security researcher at Acronis, where he focuses on cybersecurity research, threat intelligence, and communicating findings through published reports, conference talks, and media engagements. Eliad has worked with security teams for close to a decade, helping build and lead the development of threat intelligence production, and the publication of research-based content for technical and general audiences. He is the co-creator and producer of the Webby Honoree podcast Malicious Life, which explores the history of cybersecurity. Eliad has spoken at conferences including Insomnihack, Thotcon, BsidesSF, BsidesLV, and IT-SA.

Santiago Pontiroli Santiago Pontiroli is a cybersecurity expert focusing on threat intelligence efforts at Acronis as part of the Acronis Threat Research Unit (TRU). He specializes in analysing nation-state actors, criminal organizations, and financially motivated threat groups, focusing on malware analysis, reverse engineering, and creating advanced detection capabilities using tools like YARA, Sigma, and Suricata. Beyond his work at Acronis, Santiago is an active contributor to the cybersecurity community. He has authored articles and whitepapers and presented his research at renowned global conferences, including Virus Bulletin, CARO, Nuit du Hack, MITRE ATT&CK, BlueHat, AVAR, 8.8, and ekoParty.

Back to VB2025 Programme page

Back to VB2025 conference page

Register for VB2025

Other VB2025 papers