🇮🇳

SideWinder

APT Group 34 zero-day CVEs ETDA ✓

Also Known As 10 names

APT-Q-39 APT-C-17 GroupA21 T-APT-04 G0121 RAZORTIGER BabyElephant Rattlesnake HN2 Hardcore Nationalist

Target Countries 64

Countries highlighted in red

United Arab Emirates Afghanistan Albania Austria Australia Bangladesh Belgium Bulgaria Bahrain Brazil Bhutan Canada Switzerland China Colombia Germany Djibouti Algeria Egypt Spain France United Kingdom Greece Hong Kong Hungary Indonesia Israel India British Indian Ocean Territory Italy Jordan Japan Kenya Cambodia Sri Lanka Morocco Myanmar Maldives Malaysia Mozambique Nigeria Nicaragua Netherlands Norway Nepal Philippines Pakistan Poland Portugal Qatar Serbia Rwanda Saudi Arabia Sweden Singapore Thailand Turkey Ukraine Uganda United States Vietnam Yemen South Africa Global

Sectors Targeted

Electrical Equipment, Appliance, and Component Manufacturing 335 Rail Transportation 482 governmental Cybersecurity Water and Wastewater exchanges Infrastructure Financial services Maritime Educational institutions Military Computer Systems Design and Related Services 5415 Financial Services Data Processing, Hosting, and Related Services 518 Logistics Telecommunications 517 Financial institutions and business Consulting Law enforcement Retail Logistics companies Commercial Banking 52211 Governmental organizations B2B Administrative and Support and Waste Management and Remediation Services 56 Oil and Gas Mining, Quarrying, and Oil and Gas Extraction 21 Religious, Grantmaking, Civic, Professional, and Similar Organizations 813 Gambling companies Banks Services Computer Systems Design Services 541512 NAICS:44 44 aviation finance and government Banking Public and private sector IT telecom Real Estate and Rental and Leasing 53 Mining Construction of Buildings 236 Consulting businesses Marine Foreign Affairs Real estate Real Estate Agencies Nuclear energy NAICS:31 31 Insurance Carriers and Related Activities 524 Universities Chemical Manufacturing 325 Maritime Industry Diplomatic Entities Government Credit Unions 52213 foreign affairs Accommodation 721 Diplomatic entities IT Service Companies Publishing Industries (except Internet) 511 Financial Institutions military Energy Agencies Mass Media Information 51 Industrial manufacturing Technology education Education Social Media Telecom Transportation Accommodation and Food Services 72 Financial Sector Port Authorities Entertainment Professional, Scientific, and Technical Services 54 Energy (Nuclear Power) financial Software Development Aircraft Manufacturing 336411 Repair and Maintenance 811 Economic Sectors National Security and International Affairs 928110 Gambling telecommunications Diplomats Public Administration 92 Wholesale Trade 42 Federal Civilian Executive Branch (FCEB) IT services Diplomatic Economic sectors Shipping Diplomacy Critical Infrastructure Telcos Healthcare E-Commerce Research Organizations Foreign affairs Beverage and Tobacco Product Manufacturing 312 Real Estate Public Sector News Media Energy sector Local Government Management of Companies and Enterprises 55 Ports Energy energy News media Research Gaming NAICS:48 48 Artificial Intelligence and Military Nuclear and the Naval forces and education Construction 23 Legal firms IT Services Other Information Services 519 Police Food and Beverage High-Ranking Organizations Nuclear Power Automobile Dealers 4411 Oil trading companies Defense contractors Nuclear Power Plants crypto markets Legal Food Manufacturing 311 Media Law Enforcement Software Publishers 5112 Financial General Public Data management companies Textile Mills 313 Hotels Food Services and Drinking Places 722 National Security and International Affairs 928 E-commerce Digital Sector Financial Services & Insurance (BFSI) Maritime infrastructures High-Tech Individuals Multiple Judicial Institutions Finance Justice, Public Order, and Safety Activities 922 Water Transportation 483 Utilities 22 finance Business Internet Publishing and Broadcasting and Web Search Portals 51913 Defense Educational Services 61 Monetary Authorities-Central Bank 521 Internet Backbone Infrastructure Nuclear Energy Air Transportation 481 Pharmaceuticals government Finance and Insurance 52 Transportation (Oil Tankers) Maritime facilities Telecommunication National Defense Industrial Control Systems (ICS) Nuclear Energy Infrastructure nuclear Manufacturing naval forces technology Businesses Oil and Gas Extraction 211 Executive Search Aviation IT companies Engineering Space Research and Technology 927 legal firms logistics Telecommunications Corporate Governmental Truck Transportation 484 Political Clothing Stores 4481 Hospitality scientific and defence organisations Research institutes Aerospace

Details

Origin 🇮🇳 IN

Last Updated 01 Jun 2022

Malware Families 6

dreambot

COBALTSTRIKE

FORMBOOK

GOZI ISFB

bashlite

gozi

MITRE ATT&CK 89

T1001 - Data Obfuscation T1003 - OS Credential Dumping T1005 - Data from Local System T1011 - Exfiltration Over Other Network Medium T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.004 - Compile After Delivery T1033 - System Owner/User Discovery T1036 - Masquerading T1041 - Exfiltration Over C2 Channel T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1055 - Process Injection T1055.001 T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.007 - JavaScript T1068 - Exploitation for Privilege Escalation T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 - Data Staged T1078 - Valid Accounts T1078.002 T1082 - System Information Discovery T1083 - File and Directory Discovery T1090 - Proxy T1102 - Web Service T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1112 T1113 - Screen Capture T1115 T1132 - Data Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 - Spearphishing Attachment T1203 - Exploitation for Client Execution T1204 - User Execution T1204.002 - Malicious File T1218 - Signed Binary Proxy Execution T1221 - Template Injection T1480 - Execution Guardrails T1486 T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1498 - Network Denial of Service T1505 - Server Software Component T1518 - Software Discovery T1518.001 - Security Software Discovery T1542 - Pre-OS Boot T1546 - Event Triggered Execution T1547 - Boot or Logon Autostart Execution T1548 - Abuse Elevation Control Mechanism T1550 - Use Alternate Authentication Material T1553 - Subvert Trust Controls T1559 - Inter-Process Communication T1560 T1564 - Hide Artifacts T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1568 - Dynamic Resolution T1569 T1572 - Protocol Tunneling T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.001 - Domains T1584 - Compromise Infrastructure T1584.001 - Domains T1587.001 - Malware T1588.002 - Tool T1592 - Gather Victim Host Information T1593 - Search Open Websites/Domains T1598 - Phishing for Information T1608 - Stage Capabilities TA0011 - Command and Control

Related Zero-Days 34

CVE-2017-0199 CVE-2019-2215 CVE-2021-44228 CVE-2022-3236 CVE-2023-20109 CVE-2023-20198 CVE-2023-22515 CVE-2023-38831 CVE-2023-46604 CVE-2023-46805 CVE-2023-4966 CVE-2024-21412 CVE-2024-21887 CVE-2024-21893 CVE-2024-23222 CVE-2024-38112 CVE-2024-38193 CVE-2024-4040 CVE-2024-43093 CVE-2024-43461 CVE-2024-47575 CVE-2025-1316 CVE-2025-24201 CVE-2025-24983 CVE-2025-24984 CVE-2025-24985 CVE-2025-24991 CVE-2025-24993 CVE-2025-26633 CVE-2025-27363 CVE-2025-38352 CVE-2025-53770 CVE-2025-8088 CVE-2025-9491

Known Names 11 entries

SideWinder Kaspersky

Rattlesnake Tencent

Razor Tiger CrowdStrike

T-APT-04 Tencent

APT-C-17 Qihoo 360

Hardcore Nationalist ?

HN2 ?

APT-Q-39 ?

BabyElephant ?

GroupA21 ?

G0121 MITRE

Observed Target Countries 16

Based on ETDA data — countries highlighted in red

Afghanistan Bangladesh Bhutan Cambodia China Djibouti Egypt Maldives Myanmar Nepal Pakistan Qatar Sri Lanka Turkey UAE Vietnam

Description

(Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

Tools Used 3

BroStealer callCam Capriccio RAT

Operations 7

2019-03 First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/

2021-06 Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021 https://www.group-ib.com/resources/research-hub/sidewinder-apt/

2022-03 SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to VT in the middle of March. https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

2022-05 Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder https://blog.group-ib.com/sidewinder-antibot

2022-11 SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

2023-10 SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea

2024 SideWinder targets the maritime and nuclear sectors with an updated toolset https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/

Reports & References 10

https://securelist.com/apt-trends-report-q1-2018/85280/ https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c https://s.tencent.com/research/report/479.html https://s.tencent.com/research/report/659.html https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf https://www.group-ib.com/blog/hunting-sidewinder/ https://securelist.com/sidewinder-apt/114089/

ETDA Profile

SideWinder, Rattlesnake

Origin

India

First Seen 2012

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0121/

View on ETDA APT Groups ↗