Rattlesnake

Threat Actor updated a month ago (2024-10-15T14:00:57.776Z)

Download STIX

Preview STIX

The threat actor Rattlesnake, also known as Sidewinder, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21, is a prolific Advanced Persistent Threat (APT) group that has been active since 2012. The group was first publicly identified in 2018 and has launched numerous attacks against high-profile entities across South and Southeast Asia. Rattlesnake's persistent and evolving tactics pose a significant risk to regional cybersecurity, with the group often resorting to spear-phishing attacks using images of official-looking documents. Rattlesnake has been linked to several notable cyberattacks. A report published by Group-IB attributed a malicious document and Nim backdoor payload to Rattlesnake, linking it to a 2020 attack on the Maldivian government and a series of previously unknown phishing operations targeting organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021. From January to May 2024, the group used Hajj-related emails to target users in Asia and Africa, demonstrating their ability to adapt their tactics to current events and cultural contexts. In recent developments, the Cyble Research Team discovered new malware variants associated with Rattlesnake. Additionally, between late November and March, the group utilized server-based polymorphism to facilitate next-stage backdoor delivery in a cyberattack campaign initially targeting Pakistani government entities before shifting focus to Turkey. This method allows the group to evade detection by creating unique instances of their malicious software for each new victim, further highlighting the sophistication and potential danger posed by Rattlesnake.

Description last updated: 2024-10-15T13:15:38.309Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sidewinder is a possible alias for Rattlesnake. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u	5
T-APT-04 is a possible alias for Rattlesnake.	2
T-Apt4 is a possible alias for Rattlesnake.	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Rattlesnake Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	a month ago	SideWinder APT’s post-exploitation framework analysis
DARKReading	4 months ago	India-Linked SideWinder Group Pivots to Hacking Maritime Targets
DARKReading	5 months ago	Governments, Businesses Tighten Cybersecurity Around Hajj Season
CERT-EU	a year ago	From Macro to Payload: Decrypting the Sidewinder Cyber Intrusion Tactics - CYFIRMA
MITRE	2 years ago	SideWinder APT Targets with futuristic Tactics and Techniques
InfoSecurity-magazine	2 years ago	SideWinder APT Attacks Regional Targets in New Campaign
DARKReading	2 years ago	SideWinder APT Spotted Stealing Crypto
CERT-EU	2 years ago	Novel AndoryuBot DDoS botnet leverages Ruckus RCE bug
CERT-EU	2 years ago	Server-based polymorphism leveraged in new SideWinder APT attacks