Recent cyber-espionage activity linked to the SideWinder threat group suggests that the India-linked operation has spread across Southeast Asia, including Indonesia and Thailand This article explores china nexus hackers. . The group still uses phishing, credential theft, and infrastructure churn to stay hidden.
Researchers from the cybersecurity services company ITSEC Group said in a report released this week that the group often uses a phishing attack with a government-audit theme to get employees to open a link. They have also used the same methods over and over again, such as staged execution and frequent domain changes, which lets SideWinder change its geographic targets without changing its core malware toolkit. The report said that the group, which the researchers also called RagaSerpent, began going after Thailand in late 2025 and Indonesia earlier this year.
Patrick Dannacher, president director of ITSEC Asia, said that this mix of simple ways to get in and strict long-term access is common in modern espionage campaigns. Related: China-Nexus hackers have been hiding in Southeast Asian military groups for years. He says, "The spies working in this area aren't here to make a quick buck."
He also says that it makes signature-based detection less effective and lets the same malware be used in more than one campaign. ## Long-Term Goals for Intelligence Researchers say that the SideWinder threat group's targeting pattern is more in line with a mission to spy than with attacks for money. The ITSEC researchers said that recent campaigns show signs of careful operational scoping, such as malware configurations that don't interact with certain networks.
They think that the operators are trying to limit collateral damage while getting into certain high-value areas. The broader targeting means that organizations outside of the government may still be at risk if they are in the same supply chain or communication networks.
