{ "id": "210c32eb-2fea-4037-a19e-a05d78672818", "created_at": "2026-04-06T00:08:49.543002Z", "updated_at": "2026-04-10T13:11:51.984628Z", "deleted_at": null, "sha1_hash": "0e1fb7524a3cbac3c015969837ab28c18fab96c6", "title": "Copy cat of APT Sidewinder ?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2157130, "plain_text": "Copy cat of APT Sidewinder ?\r\nBy Sebdraven\r\nPublished: 2019-07-09 · Archived: 2026-04-05 16:28:09 UTC\r\nOn twitter this weekend,@Timele9527 thought to found a new instance of APT Sidewinder.\r\nhttps://twitter.com/Timele9527/status/1147750939576586244\r\nAfter different analyses, It’s not APT Sidewinder.\r\nThe execution of the dropper: https://app.any.run/tasks/487b8762-997a-4d68-9072-1111b99967cf\r\nThe dropper uses the same techniques:\r\nDownloading HTA\r\nDecode backdoor and drops files in the %TEMP%\r\nUse the same name “prebothta”\r\nUse the same name of dll for the sideloading and the same legit software\r\nBut many things are completely different.\r\nOperating Mode\r\nFirst thing the droppers downloads the HTA file in vidyasagaracademybrg.in.\r\nThis website is an academic location.\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nPage 1 of 6\n\nAfter verification on Google Earth, this location exists really.\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nPage 2 of 6\n\nOr Sidewinder is linked to the India. It’s very strange for this group to compromise website an Indian school to\r\ntarget Afghanistan People.\r\nI think it’s not a fake website:\r\nhttps://www.facebook.com/197655951060181/posts/httpwwwvidyasagaracademybrgindefaultaspx/197663174392792/\r\nNetwork\r\nThe second way, it’s the nomenclature of name. Usually, Sidewinder uses domains near of cdn names.\r\nThe protocols of the hta file and the backdoor is completely differents.\r\nThe backdoor used a text protocol without encryption\r\n\u003c|MAINSOCKET|\u003e\u003c|ID|\u003e760–858–340\u003c|\u003e6042\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\r\n\u003c|SETPING|\u003e62\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\u003c|SETPING|\u003e62\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\r\n\u003c|SETPING|\u003e62\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\u003c|SETPING|\u003e62\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\r\n\u003c|SETPING|\u003e62\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\u003c|SETPING|\u003e62\u003c|END|\u003e\u003c|PING|\u003e\u003c|PONG|\u003e\r\n\u003c|SETPING|\u003e62\u003c|END|\u003e\r\n\u003c|DESKTOPSOCKET|\u003e760–858–340\u003c|END|\u003e\r\nThe id of the victim is in the protocol unusual.\r\nOr Sidewinder use HTTP protocol for example:\r\nfor the HTA if all checks are ok:\r\nGET /plugins/17285/93/true/true/\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nand the backdoor:\r\nGET /ESmDEr7MDJw1r9jR9O4XGAVcBgCCySlZdmV3WU1J/17285/93/77223451/css HTTP/1.1\r\nExecution\r\nThe first stage of Sidewinder uses RTF exploits not an LNK in a Rar file.\r\nAnother thing is the persistence with .bat, usually it’s the RTF exploit which create a Run Key.\r\nThe side loading loads duser.dll which executes an exe itstr.exe coded in delphi which is the backdoor.\r\nThe lasted instance of Sidewinder the backdoor was written in C++ and his old backdoor was coded in VB6.\r\nhttps://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nPage 3 of 6\n\nThis backdoor is executed in FUN_10001100\r\nPress enter or click to view image in full size\r\nAnd this function is called by the dllmain.\r\nPress enter or click to view image in full size\r\nUsually, Sidewinder uses a dll like backdoor not a executable file.\r\nhttps://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nPage 4 of 6\n\nIn the sequence of installation of the backdoor, this attack don’t use .NET serialization and it’s an important\r\nfeature of the Sidewinder.\r\nAbout the Backdoor\r\nThe backdoor used is Allakore_Remote. It’s an opensource software written in Delphi.\r\nhttps://github.com/Grampinha/AllaKore_Remote\r\nWe found the same protocol.\r\nIn this file https://github.com/Grampinha/AllaKore_Remote/blob/master/Source/Client/Form_Main.pas we found\r\nmany strings in the function FUN_0062ae18.\r\nSidewinder don’t use open source usually.\r\nThreat Intelligence\r\nThis attack is against Afghanistan and the society participate at the conference of ICC at Paris\r\nPress enter or click to view image in full size\r\nThe image file in the document of the spear phishing\r\nPress enter or click to view image in full size\r\nhttps://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nPage 5 of 6\n\nSidewinder usually targets gov or military organization of Pakistan.\r\nIOCs\r\nMain object- “3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244”\r\nssdeep_parts [object Object]\r\nsha256 3a0950b425b60c2e8be38ed1307d5817513a934dac2fed75fad820dd66a4b244\r\nsha1 2848db54d87006714309ce6a1c4ce92e5a29aab7\r\nmd5 7af11efe4454dab75ad2338124be149d\r\nDropped executable file\r\nC:\\ProgramData\\dsk\\credwiz.exe 17eabfb88a164aa95731f198bd69a7285cc7f64acd7c289062cd3979a4a2f5bf\r\nC:\\ProgramData\\dsk\\DUser.dll 709d548a42500b15db4b171711a31a2ab227f508f60d4cde670b2b9081ce56af\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\Windows Cleaner\\itstr.exe\r\n26ca6af15ff8273733a6a386a482357256ac4373a8641e486fb646bc9c525afa\r\ndomain vidyasagaracademybrg.in\r\nip 167.86.116.39\r\nip 143.95.251.24\r\nHTTP/HTTPS requests\r\nurl http://vidyasagaracademybrg.in/scripts/lnk/comm/\r\nurl http://vidyasagaracademybrg.in/scripts/lnk/comm\r\nurl http://vidyasagaracademybrg.in/scripts/am/\r\nurl http://vidyasagaracademybrg.in/scripts/lnk/comm/comm.hta\r\nurl http://vidyasagaracademybrg.in/scripts/am/am_cy_167.hta\r\nSource: https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nhttps://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d\r\nPage 6 of 6\n\n https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d \nAfter verification on Google Earth, this location exists really.\nPress enter or click to view image in full size\n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d" ], "report_names": [ "copy-cat-of-apt-sidewinder-1893059ca68d" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434129, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e1fb7524a3cbac3c015969837ab28c18fab96c6.pdf", "text": "https://archive.orkl.eu/0e1fb7524a3cbac3c015969837ab28c18fab96c6.txt", "img": "https://archive.orkl.eu/0e1fb7524a3cbac3c015969837ab28c18fab96c6.jpg" } }