← threatfilter.dev / all groups / Windshift
Windshift
Also known as: Bahamut
Overview
Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.
TTPs — 19 techniques across 6 tactics
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link -
T1566.003Spearphishing via Service
Execution
-
T1047Windows Management Instrumentation -
T1059.005Visual Basic -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027Obfuscated Files or Information -
T1036Masquerading -
T1036.001Invalid Code Signature
Discovery
-
T1033System Owner/User Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1518Software Discovery -
T1518.001Security Software Discovery
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Tools & malware (1)
WindTail
Reporting (3)
- Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2) — Wardle, Patrick
- Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1) — Wardle, Patrick
- TRAILS OF WINDSHIFT — Karim, T