← threatfilter.dev / all groups / Sidewinder
Sidewinder
Also known as: T-APT-04 · Rattlesnake
Overview
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.
Targets
Government · Military · Private sector
Regions
Afghanistan · China · Nepal · Pakistan
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
TTPs — 30 techniques across 9 tactics
Reconnaissance
-
T1598.002Spearphishing Attachment -
T1598.003Spearphishing Link
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1059.001PowerShell -
T1059.005Visual Basic -
T1059.007JavaScript -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1559.002Dynamic Data Exchange
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027.010Command Obfuscation -
T1027.013Encrypted/Encoded File -
T1036.005Match Legitimate Resource Name or Location -
T1218.005Mshta -
T1574.001DLL
Discovery
-
T1016System Network Configuration Discovery -
T1033System Owner/User Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1124System Time Discovery -
T1518Software Discovery -
T1518.001Security Software Discovery
Collection
-
T1074.001Local Data Staging -
T1119Automated Collection
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Exfiltration
-
T1020Automated Exfiltration
Tools & malware (1)
Koadic
Reporting (3)
- A Global Perspective of the SideWinder APT — Hegel, T
- SideWinder APT Targets with futuristic Tactics and Techniques — Cyble
- APT Trends report Q1 2018 — Global Research and Analysis Team