SideWinder APT Targets Indian Organizations via DLL Side-Loading and Fake Income Tax Portals

CyberDefender 7 mins0

SideWinder APT has resurfaced with a highly targeted cyber-espionage campaign aimed at Indian organizations, abusing trusted Microsoft Defender components and government-themed social engineering. The campaign was uncovered by Zscaler Threat Hunting, highlighting a continued evolution in SideWinder’s tradecraft and operational stealth.

1. Campaign Overview

This campaign is focused on credential access, internal reconnaissance, and long-term espionage, rather than opportunistic financial crime. The attackers impersonate India’s Income Tax Department to deliver malware through convincingly crafted fake websites.

Key characteristics of the operation:

  • Highly localized lures targeting Indian entities
  • Abuse of legitimate Microsoft Defender binaries
  • Use of DLL side-loading to evade detection
  • Sector-specific targeting, indicating intelligence-driven objectives

2. Targeted Sectors

Observed and inferred victim profiles include:

  • Government and government-adjacent service providers
  • Retail enterprises
  • Telecommunications operators
  • Healthcare organizations

These sectors align closely with strategic intelligence collection, reinforcing SideWinder’s classification as an espionage-focused APT.

3. Initial Access: Government-Themed Social Engineering

3.1 Fake Income Tax Websites

Attackers register domains and deploy websites that closely mimic legitimate Indian tax portals. These sites:

  • Use official logos, branding, and formatting
  • Offer fake “tax documents,” “notices,” or “compliance updates”
  • Encourage users to download files purportedly related to income tax filings

3.2 Payload Delivery

The downloaded archive or installer contains:

  • A legitimate Microsoft Defender executable
  • A malicious DLL placed in the same directory

This setup primes the environment for DLL side-loading.

4. Execution Technique: DLL Side-Loading Abuse

4.1 Trusted Binary Abuse

The campaign leverages SenseCE.exe, a legitimate executable associated with Microsoft Defender.

Because:

  • The binary is signed by Microsoft
  • It is often allow-listed or trusted by EDR solutions

…it becomes an ideal candidate for stealthy execution.

4.2 Side-Loading Mechanics

When SenseCE.exe is launched:

  1. Windows searches for required DLLs in the local execution directory
  2. A malicious DLL named MpGear.dll is found first
  3. The malicious DLL is loaded instead of the legitimate one
  4. Malicious code executes under the context of a trusted Microsoft process

This allows attackers to:

  • Bypass basic signature-based defenses
  • Blend into normal endpoint activity
  • Reduce suspicion during forensic review

5. Malware Analysis: MpGear.dll

5.1 Role and Capabilities

MpGear.dll functions as the primary malicious payload. While full reverse-engineering details vary by sample, observed behaviors are consistent with SideWinder tooling:

  • Initial beaconing to attacker-controlled infrastructure
  • System and user reconnaissance
  • Collection of environment metadata
  • Preparation for secondary payload delivery

5.2 Stealth Characteristics

  • Executes in memory under a legitimate parent process
  • Avoids noisy privilege escalation techniques early on
  • Likely includes basic anti-analysis or sandbox evasion logic

6. Command-and-Control (C2)

Although specific infrastructure details change frequently, SideWinder campaigns typically:

  • Use HTTPS-based C2 traffic
  • Mimic legitimate web traffic patterns
  • Rotate domains and IPs aggressively

This further complicates network-based detection.

7. Why This Campaign Is Significant

7.1 Abuse of Security Software

Using Microsoft Defender executables undermines trust assumptions:

  • Many organizations inherently trust Defender-related binaries
  • Application allow-listing may unintentionally permit malicious execution

7.2 High-Confidence Targeting

The use of localized government lures suggests:

  • Prior reconnaissance of victims
  • Tailored delivery, not mass phishing
  • Strategic rather than financial motivation

7.3 Evolution of SideWinder Tradecraft

SideWinder has historically relied on spear-phishing and document-based malware. This shift toward DLL side-loading with LoLbins reflects:

  • Increased maturity
  • Awareness of modern EDR capabilities
  • Focus on stealth and persistence

8. Detection & Threat Hunting Guidance

8.1 Host-Based Indicators

  • SenseCE.exe executing from non-standard directories
  • Unsigned or anomalous MpGear.dll loaded by Defender binaries
  • Defender components spawning unexpected child processes

8.2 Logging Recommendations

  • Enable DLL load auditing
  • Collect command-line arguments for signed binaries
  • Monitor image load paths for Microsoft executables

8.3 Network Monitoring

  • Look for rare outbound HTTPS connections from Defender processes
  • Correlate traffic with newly registered or low-reputation domains

9. Mitigation Recommendations

  • Restrict execution of Defender binaries outside their default paths
  • Enforce application control policies that validate DLL integrity
  • Conduct user awareness training focused on government-themed lures
  • Regularly threat-hunt for living-off-the-land abuse patterns
  • Integrate threat intel feeds related to SideWinder infrastructure

10. Conclusion

This campaign underscores how trusted software can be weaponized when defenders rely solely on signatures and trust models. By abusing Microsoft Defender executables and pairing them with convincing government impersonation, SideWinder APT demonstrates a clear understanding of both human and technical trust boundaries.

Organizations operating in India—especially within strategic sectors—should treat this activity as a serious espionage threat, prioritizing proactive hunting and behavioral detection over reactive controls.

CyberDefender