Sidewinder

Threat Actor updated 25 days ago (2024-08-13T16:17:53.240Z)

Download STIX

Preview STIX

Sidewinder is a threat actor group that has been active since at least 2012, with possible origins in South Asia. The group has a history of malicious activities and has been linked to a variety of cyber threats, including the use of the Nim backdoor payload. Sidewinder has targeted entities in multiple countries, notably regional rivals such as Pakistan, but also Turkey, China, and maritime facilities across various countries. The group is known for its sophisticated attacks, often involving phishing campaigns and the use of malware families previously associated with other known threat actors. In recent campaigns, Sidewinder has focused on ports and maritime facilities, particularly in the Mediterranean Sea. The group has used falsified documents from specific ports, such as the Port of Alexandria in Egypt, to lure victims into their phishing traps. High-interest topics like job termination and salary reductions have been used as bait. These campaigns underscore the evolving nature of Sidewinder's threats, demonstrating their ability to adapt and exploit new infrastructure for their operations. The discovery of a malicious Word document equipped with an embedded macro in 2023 led to further unravelling of Sidewinder's tactics. This document was possibly intended to target Nepalese government officials, showing the group's wide range of targets. Additionally, Sidewinder has been linked to the Mysterious Elephant malware discovered during the same year. Despite the age of some exploits, Sidewinder continues to utilize them effectively, showcasing the persistent and evolving threat posed by this group.

Description last updated: 2024-08-13T15:18:05.917Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Rattlesnake	4	Rattlesnake, also known as Sidewinder, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21, is a threat actor that has been linked to a series of malicious cyber activities. According to a report published by Group-IB, this group was behind the 2020 attack on the Mald
APT36	3	APT36, also known as Transparent Tribe and Earth Karkaddan, is a threat actor group that has historically targeted government agencies and defense firms in India with cyberattacks aimed at compromising Windows systems and Android devices. The group's activities have been tracked by various cybersecu
Confucius	3	Confucius is a threat actor primarily known for conducting cyberespionage campaigns against Pakistan since 2013. This group has been linked to various malicious activities, including the use of novel Android spyware Hornbill and SunBird to scrape call logs and WhatsApp messages of government authori
Transparent Tribe	3	Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
Rover	3	Rover is a malicious software, also known as malware, that is designed to exploit and damage computer systems or devices. The term "rover" in this context seems unrelated to the various uses of the term in the information provided, such as the Mars Rover program, the Range Rover vehicle, or the Jagu
Rover Backdoor	3	The Rover Backdoor is a type of malware, a harmful software designed to exploit and damage computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operation
Babyelephant	2	BabyElephant, a threat actor also known by various aliases including Sidewinder, Rattlesnake, Hardcore Nationalist, HN2, APT Q4, RAZOR Tiger, APT Q39, and GroupA21, is a significant cybersecurity concern due to its persistent and evolving tactics. This entity, which could be a single individual, a p

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Phishing

Rat

Android

Backdoor

Vulnerability

Kaspersky

Remcos

State Sponso...

Spyware

Exploit

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
yty	Unspecified	2	In late January 2018, ASERT discovered a new modular malware framework known as "yty". This malicious software, designed to exploit and damage computer systems, was found to be associated with the Donot Team, a group known for its use of modular/plugin-based malware frameworks. The yty malware focus

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
SideCopy	Unspecified	3	SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applicat
T-APT-04	Unspecified	2	None
T-Apt4	Unspecified	2	None

Source Document References

Information about the Sidewinder Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	25 days ago	Kaspersky report on APT trends in Q2 2024
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
DARKReading	a month ago	BlankBot Trojan Targets Turkish Android Users
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
Securityaffairs	a month ago	Security Affairs newsletter Round 483 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	3 months ago	Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
DARKReading	a month ago	India-Linked SideWinder Group Pivots to Hacking Maritime Targets
Securityaffairs	a month ago	SideWinder phishing campaign targets maritime facilities in multiple countries
DARKReading	3 months ago	Governments, Businesses Tighten Cybersecurity Around Hajj Season
Securelist	4 months ago	APT trends report Q1 2024 – Securelist
CERT-EU	9 months ago	From Macro to Payload: Decrypting the Sidewinder Cyber Intrusion Tactics - CYFIRMA
CERT-EU	10 months ago	Army’s Iron Dome batteries on 11-month lease with Israel, which could be extended
CERT-EU	10 months ago	DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan
CERT-EU	a year ago	How Next-Gen Threats Are Taking a Page From APTs
CERT-EU	a year ago	Iranian ISP suspected of aiding cybercriminals and nation-state hackers
InfoSecurity-magazine	a year ago	Cyber-Attacks Targeting Government Agencies Increase 40%
CERT-EU	a year ago	Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
CERT-EU	a year ago	Kaspersky releases latest report on APT trends for 2023
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
InfoSecurity-magazine	a year ago	APT “Mysterious Elephant” Emerges in Q2 2023, Kaspersky Reports