🇮🇳

RAZOR TIGER

APT Group Information theft and espionage 28 zero-day CVEs ETDA ✓

Also Known As 4 names

APT-C-17 Rattlesnake SideWinder T-APT-04

Target Countries 17

Countries highlighted in red

Afghanistan Bangladesh Bhutan China Djibouti Egypt United Kingdom Cambodia Sri Lanka Myanmar Maldives Nepal Pakistan Qatar Turkey United States Vietnam

Sectors Targeted

Human Resources Consulting Services 541612 Government Travel Agencies 561510 Water Supply and Irrigation Systems 22131 Computer Systems Design and Related Services 54151 Computer Systems Design Services 541512 Defense Data Processing, Hosting, and Related Services 51821 Maritime and Shipbuilding Business Schools and Computer and Management Training 6114

Details

Origin 🇮🇳 IN

Last Updated 26 Jun 2022

MITRE ATT&CK 157

T1001 - Data Obfuscation T1003 - OS Credential Dumping T1005 - Data from Local System T1007 T1008 T1010 T1011 - Exfiltration Over Other Network Medium T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1018 T1020 T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.004 - Compile After Delivery T1027.010 T1027.013 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.005 T1041 - Exfiltration Over C2 Channel T1047 - Windows Management Instrumentation T1048 T1049 T1053 - Scheduled Task/Job T1055 - Process Injection T1056 - Input Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 T1059.007 - JavaScript T1060 T1068 - Exploitation for Privilege Escalation T1070 - Indicator Removal on Host T1070.006 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 - Data Staged T1074.001 T1078 - Valid Accounts T1081 T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1087 T1090 - Proxy T1095 T1102 - Web Service T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 T1107 T1110 T1112 T1113 - Screen Capture T1114 T1114.001 T1115 T1119 T1120 T1124 T1127 T1130 T1132 - Data Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1136 T1137 T1140 - Deobfuscate/Decode Files or Information T1170 T1176 - Browser Extensions T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 - Spearphishing Attachment T1195 T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 T1204.002 - Malicious File T1216 T1217 T1218 - Signed Binary Proxy Execution T1218.005 T1219 T1221 - Template Injection T1480 - Execution Guardrails T1485 T1486 T1489 T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1497.003 T1498 - Network Denial of Service T1503 T1505 - Server Software Component T1518 - Software Discovery T1518.001 - Security Software Discovery T1529 T1530 T1531 T1539 - Steal Web Session Cookie T1542 - Pre-OS Boot T1543 T1546 - Event Triggered Execution T1546.004 T1547 - Boot or Logon Autostart Execution T1547.001 T1548 - Abuse Elevation Control Mechanism T1550 - Use Alternate Authentication Material T1552 T1553 - Subvert Trust Controls T1555 T1559 - Inter-Process Communication T1559.002 T1560 T1561 T1562 T1562.001 T1564 - Hide Artifacts T1564.001 T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1568 - Dynamic Resolution T1569 T1571 T1572 - Protocol Tunneling T1573 T1574 - Hijack Execution Flow T1574.001 T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.001 - Domains T1584 - Compromise Infrastructure T1584.001 - Domains T1587 T1587.001 - Malware T1588 - Obtain Capabilities T1588.002 - Tool T1592 - Gather Victim Host Information T1593 - Search Open Websites/Domains T1595 T1598 - Phishing for Information T1598.002 T1598.003 T1608 - Stage Capabilities TA0003 TA0004 TA0005 TA0006 TA0007 TA0009 TA0011 - Command and Control

Related Zero-Days 28

CVE-2017-0199 CVE-2018-8174 CVE-2019-2215 CVE-2020-1472 CVE-2021-44228 CVE-2022-3236 CVE-2022-42475 CVE-2023-20109 CVE-2023-20198 CVE-2023-22515 CVE-2023-36884 CVE-2023-38831 CVE-2023-46604 CVE-2023-46805 CVE-2023-4966 CVE-2024-21412 CVE-2024-21887 CVE-2024-21893 CVE-2024-23222 CVE-2024-38112 CVE-2024-38193 CVE-2024-4040 CVE-2024-43093 CVE-2024-43461 CVE-2024-47575 CVE-2025-1316 CVE-2025-27363 CVE-2025-8088

Known Names 11 entries

SideWinder Kaspersky

Rattlesnake Tencent

Razor Tiger CrowdStrike

T-APT-04 Tencent

APT-C-17 Qihoo 360

Hardcore Nationalist ?

HN2 ?

APT-Q-39 ?

BabyElephant ?

GroupA21 ?

G0121 MITRE

Observed Target Countries 16

Based on ETDA data — countries highlighted in red

Afghanistan Bangladesh Bhutan Cambodia China Djibouti Egypt Maldives Myanmar Nepal Pakistan Qatar Sri Lanka Turkey UAE Vietnam

Description

(Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

Tools Used 3

BroStealer callCam Capriccio RAT

Operations 7

2019-03 First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/

2021-06 Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021 https://www.group-ib.com/resources/research-hub/sidewinder-apt/

2022-03 SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to VT in the middle of March. https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

2022-05 Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder https://blog.group-ib.com/sidewinder-antibot

2022-11 SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

2023-10 SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea

2024 SideWinder targets the maritime and nuclear sectors with an updated toolset https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/

Reports & References 10

https://securelist.com/apt-trends-report-q1-2018/85280/ https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c https://s.tencent.com/research/report/479.html https://s.tencent.com/research/report/659.html https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf https://www.group-ib.com/blog/hunting-sidewinder/ https://securelist.com/sidewinder-apt/114089/

ETDA Profile

SideWinder, Rattlesnake

Origin

India

First Seen 2012

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0121/

View on ETDA APT Groups ↗