An threat intelligence report identified expansion of activity by India-linked cyber-espionage group RagaSerpent (SideWinder) into Indonesia and across Southeast Asia in 2026.

ITSEC’s latest report identified RagaSerpent (SideWinder) as a sustained cyber-espionage threat. What are the most important findings from this analysis, and why should this activity be considered a high-priority risk for government institutions in Indonesia and the rest of S E Asia?

Dannacher: What stands out is that RagaSerpent, or SideWinder, is not operating through a series of isolated campaigns, but is using a repeatable, scalable espionage model that can be deployed across countries with minimal adaptation.

ITSEC Asia observed the same core playbook, including tax and audit-themed spearphishing, user-driven execution, staged malware deployment, and long-term persistence, moving from India into Thailand and now Indonesia.

That consistency is what makes the threat particularly serious. Even as domains, infrastructure, and payloads change, the underlying attack behavior remains stable. In practical terms, it means organizations across the region are not facing with a one-off breach risk, but with a persistent intrusion capability that can be reactivated and re-targeted at scale.

For government institutions in Indonesia and across Southeast Asia, this should be treated as a high-priority risk for three reasons:

1. The targeting is clearly aligned to state-linked intelligence objectives, focusing on government, telecommunications, and strategic sectors.
2. The use of official tax and compliance lures exploits institutional trust, significantly increasing the likelihood of a successful compromise.
3. Once inside, the actor is designed to maintain durable access and continuous command-and-control, rather than cause short-term disruption.

The report suggested that activity observed in Indonesia in early 2026 represents a geographic extension of campaigns previously seen in India and Thailand. What does this expansion tell us about the intent, maturity, and strategic objectives of the threat actor?

Dannacher: The expansion from India and Thailand into Indonesia shows a scaling of ambition, underpinned by its stable and highly reusable intrusion model. They’re not reinventing their attack each time, they’re reusing the same model and just adapting it slightly for each country, mainly by localizing the lures and impersonations. It’s clear that the actor has now reached a level of maturity and operational standardization, where campaigns can be scaled quickly without needing to redesign tooling or infrastructure.

Strategically, the move into S E Asia, particularly Indonesia, aligns with broader regional dynamics. These are economies with growing digital infrastructure, critical supply chains, and increasing geopolitical relevance.

By extending into this region, the actor is effectively broadening its intelligence footprint, positioning itself to monitor policy, economic activity, and cross-border networks across the region. The fact that they tailor their lures using local language and institutions (like tax authorities) shows they are investing time and effort to understand each country in preparation for a long-term campaign.

One of the key insights is the actor’s repeatable intrusion model, combining credential harvesting with installer-based persistence. Can you explain how this dual-path approach works in practice, and why it is particularly effective at enabling long-term, undetected access?

Dannacher: One of the more sophisticated aspects of this campaign is that they don’t rely on a single path to compromise. They combine credential harvesting at scale with a more targeted installer-based intrusion.

In practice, the first path is relatively lightweight. Victims are directed to spoofed portals, often mimicking government or tax systems, where credentials are captured. This allows the actor to quickly map accounts, identify high-value targets, and potentially gain immediate access to email or internal systems without deploying malware. It’s fast, low-cost, and difficult to attribute.

The second path is more deliberate. Selected targets are pushed toward downloading and executing an installer, typically disguised as an official document or compliance tool. Once executed, this initiates a multi-stage infection chain, establishing persistence through mechanisms such as Windows services and enabling direct command-and-control communication.

What makes the combination particularly effective is how the two reinforce each other. Credential harvesting provides visibility and prioritization, while the installer route delivers durable, system-level access. If one path is detected or blocked, the other can still succeed. More importantly, the installer-based persistence is designed to survive reboots and operate quietly in the background, often blending into legitimate system activity.

The report noted that indicator-driven defenses alone are insufficient against this type of activity. How should organizations rethink their cybersecurity approach? 

Dannacher: What this report makes clear is that many organizations are still optimizing their defenses for a threat model that no longer reflects reality. Indicator-driven approaches such as blocking known domains, IPs, or file hashes are all necessary, but they are inherently reactive and short-lived. In this case, the actor is rotating infrastructure rapidly while keeping their underlying behavior consistent, which means defenders are always one step behind if they rely on indicators alone.

The shift that’s required is toward a behavior-led, detection-driven security model. Instead of asking “Is this IP malicious?”, organizations need to ask “Does this activity look suspicious in context?”

For example, the report highlights stable patterns such as unusual Windows service creation, user-initiated execution of unexpected installers, and direct outbound connections to IP addresses rather than domains. These are signals that remain consistent even as infrastructure changes.

Equally important is improving visibility across the full attack lifecycle, from email entry points through to endpoint activity and network egress. Too often, these are monitored in isolation. What’s needed is correlation: linking a phishing email to a subsequent process execution and then to outbound traffic.

Finally, organizations should prioritize low-friction controls with high disruption value, tightening execution policies, monitoring administrative actions, and enforcing stricter outbound network controls. The goal is not to prevent every intrusion, but to detect and disrupt early, before persistence is established and the attacker can entrench themselves.

Looking ahead, how do you see this type of espionage activity evolving?  What are the most critical immediate and longer-term actions that government agencies and enterprises should prioritize to mitigate this threat?

Dannacher: We expect this type of espionage activity to become more scalable, more localized, and harder to detect. The core model will remain the same, but actors will refine it—using better language localization, more convincing impersonation of government services, and increasingly modular tooling that can be adapted quickly across markets.

In terms of action, the priority now is to shift from prevention-only to early detection and disruption. Immediately, government agencies and enterprises should:

• Tighten email and phishing controls, especially around attachments and download links
• Restrict and monitor user-driven execution of installers
• Actively track Windows service creation and privilege changes
• Strengthen network egress monitoring, particularly direct IP connections

Longer term, organizations need to:

• Build behavior-based detection capabilities aligned to attack stages, not just indicators
• Improve cross-layer visibility (email, endpoint, network) to connect signals
• Invest in threat hunting and incident response readiness, assuming compromise will occur

Ultimately, this is a persistence-driven threat. The goal is not just to block entry, but to identify, contain, and remove adversaries before they can establish long-term access.