{ "id": "baca1829-52b1-4eff-b7aa-dd4e0b880e72", "created_at": "2026-04-06T00:15:46.328793Z", "updated_at": "2026-04-10T13:12:23.595426Z", "deleted_at": null, "sha1_hash": "0e32d494558bf8022af8e3647247dd9579f5bc01", "title": "The distinctive rattle of APT SideWinder | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7021135, "plain_text": "The distinctive rattle of APT\r\nSideWinder\r\nBridewell and Group-IB expose the APT’s unknown infrastructure\r\nMay 17, 2023 · 14 min to read · Advanced Persistent Threats\r\n← Blog\r\nNikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026 DRP\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 1 of 29\n\nAPT SideWinder Threat Hunting Threat Intelligence\r\nIntroduction\r\nIn February 2023, Group-IB’s Threat Intelligence team released a technical report about previously\r\nunknown phishing attacks conducted by the APT group SideWinder:\r\nOld Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021. As\r\nalways, Group-IB customers and partners were the first to get access to the report through the\r\ninterface of Group-IB’sThreat Intelligence platform.\r\nOne of them was Bridewell, a leading cyber security services company based in the UK and a long-standing MSSP partner of Group-IB in Europe. Our colleagues from Bridewell have been using\r\nGroup-IB’s Threat Intelligence, Digital Risk Protection, and Attack Surface Management solutions to\r\nsupport the cybersecurity services they offer to its customers.\r\nBridewell’s in-house threat intelligence experts read Group-IB’s report on SideWinder and came up\r\nwith their own significant findings about SideWinder. The Bridewell team shared this information\r\nwith our Threat Intelligence unit, which led to this joint blog post. By bringing together the research\r\ncapabilities of both companies, we developed and described new hunting methods so that we\r\ncould track one of the most prolific APT groups more efficiently.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 2 of 29\n\nGroup-IB and Bridewell’s joint research describes how to use publicly available tools to monitor\r\nknown SideWinder infrastructure and reveals new malicious servers that could be used in future\r\nattacks.\r\nThis blog post provides details of previously unknown infrastructure belonging to APT\r\nSideWinder. In addition, Group-IB and Bridewell researchers share hunting rules for Shodan to\r\nhelp cybersecurity specialists, threat hunters, and corporate cybersecurity teams pre-empt and\r\nprevent SideWinder attacks.\r\nJoin the Cybercrime Fighters Club\r\nThe global fight against cybercrime is a collaborative\r\neffort, and that’s why we’re looking to partner with\r\nindustry peers to research emerging threats and publish\r\njoint findings on our blog. If you’ve discovered a\r\nbreakthrough into a particular threat actor or a\r\nvulnerability in a piece of software, let us know at\r\nblog@group-ib.com, and we can mobilize all our necessary\r\nresources to dive deeper into the issue. All contributions\r\nwill be given appropriate credit along with the full backing\r\nof our social media team on Group-IB’s Threat Intelligence Twitter\r\npage, where we regularly share our latest findings into\r\nthreat actors’ TTPs and infrastructure, along with our\r\nother social media accounts.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 3 of 29\n\nAcknowledgements: We would like to thank Dmitry Kupin for contributing to this blog post.\r\nKey findings\r\nSideWinder’s servers can be detected using several hunting rules described in this blog post.\r\nGroup-IB and Bridewell detected 55 previously unknown IP addresses that SideWinder could\r\nuse in future attacks.\r\nThe identified phishing domains mimic various organizations in the news, government,\r\ntelecommunications, and financial sectors.\r\nSideWinder uses the identified servers as A records for domains that mimic government\r\norganizations in Pakistan, China, and India. These domains are listed in the “\r\nWho are SideWinder’s potential targets?” section of this blog post.\r\nWe discovered an APK sample for Android devices. The sample is similar to one mentioned in\r\nGroup-IB’s blog post SideWinder.AntiBot.Script.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 4 of 29\n\nTracking SideWinder’s infrastructure\r\nDescription of hunting rules\r\nFor several years, SideWinder has been using a unique method of deploying and maintaining its\r\nmalicious servers. The APT’s infrastructure is distinct in that servers always return a response with\r\nthe 404 status code and the Not Found content when the root page is accessed.\r\nMalicious content is returned only if the victim follows a special link received through either phishing\r\nemails or phishing posts on social media (for example in dedicated Facebook groups). SideWinder’s\r\nnetwork infrastructure can be tracked using the search engines Shodan and Censys if unique\r\nparameters are set correctly.\r\nOur research focuses on 119 IP addresses, which can be divided into two categories: the first one\r\ncomprises the APT’s known IP addresses, while the second category covers the group’s IP\r\naddresses that have not been publicly revealed before. A table with all network indicators can be\r\nfound at the end of this blog post.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 5 of 29\n\nShodan hunting rules\r\nSideWinder’s infrastructure can be tracked by using the hunting rules described below in Shodan.\r\nWe describe infrastructure links based on these queries.\r\nUsing these hunting rules, Group-IB and Bridewell specialists discovered 119 IP addresses that\r\nthey attributed to SideWinder, 64 of which were either known to us or mentioned in public\r\ndescriptions of the group’s attacks. The other 55 IP addresses belonging to SideWinder have\r\nnot been described before.\r\nKnown IP addresses\r\nBased on the data obtained using the hunting rules, the following IP addresses and domains were\r\nidentified. These are publicly known addresses used by SideWinder and are mentioned here to\r\nshow that the hunting rules used are accurate.\r\nIP Hostname\r\n149.154.152.37\r\npaf-govt[.]net\r\nbluedoor[.]click\r\n151.236.21.16 kito.countpro[.]info\r\n158.255.211.188 mofs-gov[.]org\r\n161.129.64.98 msoft-updt[.]net\r\n172.93.162.121 paf-govt[.]info\r\n172.93.189.46 hread[.]live\r\n172.96.189.243 prol[.]info\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 6 of 29\n\n185 11790 144 ortra[ ]tech\r\nPreviously unknown IP addresses\r\nThis section lists the IP addresses and domains that were unknown at the time of our analysis. We\r\nhave attributed them with high confidence to SideWinder. We believe that the threat actors could\r\npotentially use this infrastructure in future attacks.\r\n104.128.189.242 cpec[.]site\r\n138.68.160.176\r\nsindhpolice-govpk[.]org\r\nsbp-pk[.]org\r\nhelpdesk-gov[.]info\r\n149.154.154.216 shortney[.]org\r\n149.154.154.65 storeapp[.]site\r\n151.236.14.56 reth.cvix[.]cc\r\n151.236.21.70 ptcl-gov[.]org\r\n151.236.25.121\r\ninsert.roteh[.]site\r\nactive.roteh[.]site\r\n151.236.5.250 ailyun[.]live\r\nAll the listed IP addresses were found using hunting rules that we created and have provided in the\r\n“Shodan hunting rules” section. Furthermore, two domains from this list (storeapp[.]site and\r\nridlay[.]live) are linked to SideWinder’s known infrastructure through the use of identical\r\nregistration data in WHOIS records, as shown by Group-IB’s Threat Intelligence platform:\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 7 of 29\n\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 8 of 29\n\nThe screenshot shows that the domains fia-gov[.]com, hread[.]live, cplix[.]live, govpk-mail[.]org,\r\nappsrv[.]live, ridlay[.]live, bismillah[.]tech, and storeapp[.]site are interrelated — they use of the same\r\nvalues in WHOIS records (13th street auckland) and similar registration data.\r\nRelated files\r\nAnalysis of SideWinder’s network infrastructure revealed files related to it. The files are listed in the\r\ntable below.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 9 of 29\n\nFile name\r\nMalware\r\ntype\r\nSHA-1 URL\r\nLKGOD.docx\r\nMalicious\r\ndocument\r\ne4a8e4673ebfba0cea2d9755535bc93896b44183 hxxs://paknavy[.]\r\nProduct.docx\r\nMalicious\r\ndocument\r\n53a1b84d67b8be077f6d1dd244159262f7d1a0f9 hxxps://cstc-spa\r\nLeakage of\r\nSensitive\r\nData on Dark\r\nWeb.docx\r\nMalicious\r\ndocument\r\n59f1d4657244353a156ef8899b817404fd7fedad hxxps://mtss[.]bo\r\nGUIDELINES\r\nFOR\r\nJOURNAL –\r\n2023\r\nPAKISTAN\r\nNAVY WAR\r\nMalicious\r\ndocument\r\nfcc2d69a02f091593bc4f0b7d4f3cb5c90b4b011 hxxs://pnwc[.]bo\r\nAll the files in the table above are part of the first attack stage, which is intended for downloading\r\nthe payload (the next stage). At the time of analysis, the payload was not obtained. Below we look at\r\nthe files listed in the table in more detail.\r\nLKGOD.docx\r\nThe malicious file LKGOD.docx was discovered in March 2023 by a Twitter user with the handle\r\n@StopMalvertisin.\r\nThe file was uploaded to VirusTotal for the first time on March 21, 2023 at 06:46:34 UTC from\r\nPakistan (the city of Islamabad, source: the Web).\r\nFile contents (decoy):\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 10 of 29\n\nIn /word/_rels/document.xml.rels, the malicious document contains a link to download a template:\r\nhxxs://paknavy[.]defpak[.]org/5973/1/8665/2/0/0/0/m/files-f8fd19ec/file.rtf\r\nProduct.docx\r\nThe malicious file Product.docx was also discovered in March 2023 by the Twitter user\r\n@StopMalvertisin. \r\nThe file was uploaded to VirusTotal on March 10, 2023 at 05:14:05 UTC from Pakistan (the city of\r\nKarachi, source: the Web)\r\nFile contents (decoy):\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 11 of 29\n\nIn /word/_rels/document.xml.rels, the malicious document contains a link to download a template:\r\nhxxps://cstc-spares-vip-163[.]dowmload[.]net/14668/1/1228/2/0/0/0/m/files-403a1120/file.rtf\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 12 of 29\n\nLeakage of Sensitive Data on Dark Web.docx\r\nThe malicious file Leakage of Sensitive Data on Dark Web.docx was also discovered by\r\n@StopMalvertisin.\r\nThe file was uploaded to VirusTotal on March 10, 2023 at 05:21:10 UTC from Pakistan (the city of\r\nKarachi, source: the Web).\r\nFile contents (decoy):\r\nIt is worth noting that the contents of the document are identical to those of LKGOD.docx.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 13 of 29\n\nIn /word/_rels/document.xml.rels, the malicious document contains a link to download a template:\r\nhxxps://mtss[.]bol-south[.]org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file.rtf\r\nGUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).docx\r\nThe malicious file GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE\r\n(PNWC).docx was discovered by the Twitter user @RedDrip7.\r\nThe file was uploaded to VirusTotal for the first time on November 30, 2022 at 10:17:20 UTC from the\r\nUK (city unknown, source: the Web).\r\nFile contents (decoy):\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 14 of 29\n\nIn /word/_rels/document.xml.rels, the malicious document contains a link to download a template:\r\nhxxs://pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file.rtf\r\n公管学院关于11月22日起工作安排调整的通知.docx.lnk\r\nThe malicious file 公管学院关于11月22日起工作安排调整的通知.docx.lnk was discovered by the user\r\n@Axel_F5:\r\nThis LNK file is contained in the archive 公管学院关于11月22日起工作安排调整的通知.zip, which was\r\ndistributed via email:\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 15 of 29\n\nThe archive\r\n公管学院关于11月22日起工作安排调整的通知.zip was uploaded to VirusTotal for the first\r\ntime on November 24, 2022 at 13:43:55 UTC from China (the city of Beijing, source: the Web).\r\nLaunching the LNK file executes the following command:\r\nEmail subject: 公共管理学院关于11月22日起工作安排调整的通知 (Notice of the School of Public\r\nAdministration on the adjustment of work arrangements from November 22)\r\nSender: 陈蕾 (Chen Lei) sppmdw@mail[.]tsinghu[.]edu[.]cn[.]aliyu[.]co\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 16 of 29\n\nThe LNK file creates a copy of %Windows%\\System32\\mshta.exe with the name\r\n%ProgramData%\\jkli.exe and launches jkli.exe (mshta.exe) to download and execute an HTA file,\r\nwhich is located at hxxps://mailtsinghua[.]sinacn[.]co/3679/1/55554/2/0/0/0/m/files-94c98cfb/hta.\r\nWe came across a similar archive earlier, virus student Data Base 8 (1).zip, which was uploaded to\r\nVirusTotal on October 16, 2022 at 17:55:40 UTC from Sweden (the city of Stockholm, source: the\r\nWeb). Like in the previous case, the target of SideWinder’s attack may have been Tsinghua\r\nUniversity, one of the leading universities in China (tsinghua.edu.cn).\r\nIt is worth noting that the LNK file 公管学院关于11月22日起工作安排调整的通知.docx.lnk was added to\r\nthe archive 公管学院关于11月22日起工作安排调整的通知.zip on November 22, 2022, while the LNK file\r\nstudent Data Base 8.pdf.lnk was added to the archive virus student Data Base 8 (1).zip on March 3,\r\n2022.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 17 of 29\n\nA similar LNK file, student Data Base 8.pdf.lnk, launches mshta.exe and downloads and executes an\r\nHTA file located at\r\nhxxps://mail[.]tsinghua[.]institute/3206/1/25395/2/0/1/1863616521/3DIm0LGMztTur2KVczxFjB36rLfwn\r\n5b71f8ef/hta (the domain: mail[.]tsinghua[.]institute).\r\nरा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk\r\nThe malicious file रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk was discovered by a Twitter user\r\nwith the handle @jaydinbas.\r\nThe LNK रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk is contained in an archive (whose original\r\nname is unknown) that was uploaded to VirusTotal on November 24, 2022 at 10:15:01 UTC from\r\nNepal (the city of Kathmandu, source: Community).\r\nLaunching the LNK executes the following command:\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 18 of 29\n\nThe LNK creates a copy of %Windows%\\System32\\mshta.exe with the name\r\n%ProgramData%\\jkli.exe and launches jkli.exe (mshta.exe) to download and execute an HTA file\r\nlocated at hxxps://mailv[.]mofs-gov[.]org:443/3669/1/24459/2/0/1/1850451727/6JOo39NpphBz5V3XOKZff9AGJH3RNAJuLvBQptc1\r\n94603e7f/hta. This LNK file is similar to the LNK file 公管学院关于11月22日起工作安排调整的通\r\n知.docx.lnk mentioned above.\r\nThe LNK रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk was added to the archive on November 23,\r\n2022.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 19 of 29\n\n226617\r\nAnalysis of the group’s infrastructure by Bridewell specialists revealed a malicious APK file, 226617,\r\nwhich was uploaded to VirusTotal on March 23, 2023 at 09:34:02 UTC from Sri Lanka (the city of\r\nColombo, source: the Web). The Group-IB team analyzed the sample.\r\nThe APK file 226617 is an Android application disguised as the game Ludo.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 20 of 29\n\nThe application is a downloader type of malware that downloads the encrypted payload at\r\nhxxps://games[.]srv-app[.]co/669/1/1970/2/0/0/1764305594/2X1R9Tw7c5eSvLpCCwnl0X7C0zhfHLA6RJzJ0ADS/file\r\n82dfc144/appxed. The payload is a DEX file, launched using the class DexClassLoader.\r\nThe link is Base64-encoded and encrypted using the AES-256 ECB algorithm with the key {7e 51 73\r\n44 54 49 ac a1 fe 99 25 f3 25 29 58 e3 5a 45 7c cd 89 d4 87 78 34 3f b2 df c2 60 2c 21} (32 bytes).\r\nExample of the link decrypted in CyberChef:\r\nIn addition, the malware has an autostart functionality when the targeted mobile device loads. It is\r\nworth noting that the application partially matches and has similar functionalities to the code of the\r\napplication Secure VPN_3.9_apkcombo.com.apk (SHA-1:\r\nc6effe7fcd87f643aebc427e127dd7b00865eafd), which was discovered by Group-IB Threat\r\nIntelligence experts in as early as 2021.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 21 of 29\n\nExperts at Qi An Xin have described SideWinder’s Android applications with similar code. Their\r\nanalysis also mentions the application Secure VPN_3.9_apkcombo.com.apk. Moreover, previous\r\nsamples featured a similar domain, register[.]srvapp[.]co (games[.]srv-app[.]co in our case).\r\nThe two applications, 226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4) and\r\nSecure VPN_3.9_apkcombo.com.apk (SHA-1: c6effe7fcd87f643aebc427e127dd7b00865eafd) are\r\ncompared below.\r\nThe matching apk_name value “Almighty Allah” in the applications’ string resources\r\nChecking root privileges on a mobile device:\r\nDownloading the DEX file using a URL:\r\n226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4)\r\n226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4)\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 22 of 29\n\nA DEX file being loaded into device memory:\r\nList of permissions checked:\r\nSaving the file downloaded from the command-and-control (C2) server as\r\n“/data/data/\u003cpackage_name\u003e/files/fex/permFex/8496eac3cc33769687848de8fa6384c3”:\r\n226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4)\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 23 of 29\n\nHosting infrastructure\r\nThis graph shows the distribution of malicious domains by hosting service provider, for providers\r\nknown to be used by SideWinder.\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 24 of 29\n\nSideWinder often registers domains whose URL addresses mimic various organizations in Pakistan\r\nand China. In June 2022, Group-IB specialists published a blog post (SideWinder.AntiBot.Script) in\r\nwhich they described the group’s resources whose URLs mimic Pakistani organizations. It is worth\r\nnoting that website contents are sometimes drastically different from what the name suggests.\r\nWho are SideWinder’s potential targets?\r\nThe domains discovered by Bridewell and Group-IB specialists suggest that SideWinder could have\r\nplanned attacks against financial and government organizations, as well as companies specialized in\r\ne-commerce and mass media in Pakistan and China.\r\nSector Domain impersonation Legitimate domain Connection\r\nBanking sbp-pk[.]org sbp.org.pk State Bank of Pakistan\r\nGovernment\r\norganizations\r\nsindhpolice-govpk[.]org sindhpolice.gov.pk Sindh Police\r\npunjabpolice-gov-pk.fia-gov[.]com\r\npunjabpolice.gov.pk Punjab Police\r\nfia-gov[.]com fia.gov.pk\r\nFederal Investigation\r\nAgency\r\nmofs-gov[.]org mofa.gov.org\r\nMinistry of Foreign\r\nAffairs\r\npaf-govt[ ]net pafgovpk Pak Air Force\r\nConclusion\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 25 of 29\n\nSideWinder is among the most active and prolific threat actors out there. According to Group-IB,\r\nbetween June and November 2021 the group may have targeted as many as 61 organizations in\r\nAsia.\r\nWhile investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists\r\nidentified and attributed a large part of the group’s infrastructure, namely 55 domains and IP\r\naddresses. In addition, our analysis revealed phishing domains imitating news, finance, media,\r\ngovernment, and telecommunications companies.\r\nA close look at the infrastructure used by any group will almost always help with writing hunting\r\nrules that can be then used to learn about that group’s attacks in the making and respond to them\r\npreemptively. The network indicators provided in this blog post can be used to protect against\r\nSideWinder proactively and to search for new infrastructure used by the group.\r\nLike many other APT groups, SideWinder relies on targeted spear phishing as the initial vector. It is\r\ntherefore important for organizations to deploy business email protection solutions that detonate\r\nmalicious content.\r\nTo enrich indicators of compromise and stay up to date with relevant threats, it is more effective to\r\nuse threat intelligence solutions.\r\nIf your company’s specialists analyze the activity of this or any other APT group, we would be\r\nhappy to conduct a joint analysis and publish it on our blog.\r\n#FightAgainstCybercrime\r\n#WeStopAttackers\r\nStrengthen your security posture with\r\nGroup-IB Threat Intelligence\r\nUse unique threat intelligence data to prevent attacks\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 26 of 29\n\nYou might also like:\r\nSideWinder.AntiBot.Script. APT SideWinder’s new tool that narrows their reach to Pakistan\r\nOld Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021\r\nSimpleHarm: Tracking MuddyWater’s infrastructure\r\nIndicators\r\n185.205.187.234\r\npk.downld[.]net\r\npaknavy-gov-pk.downld.net\r\ndownld[.]net\r\n104.128.189.242 cpec[.]site\r\n138.68.160.176\r\nsindhpolice-govpk[.]org\r\nsbp-pk[.]org\r\nhelpdesk-gov[.]info\r\n149.154.152.37\r\npaf-govt[.]net\r\nbluedoor[.]click\r\n149.154.154.216 shortney[.]org\r\n149.154.154.65 storeapp[.]site\r\n151.236.14.56 reth.cvix[.]cc\r\nRequest a demo\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 27 of 29\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 28 of 29\n\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nBusiness Email*\r\nI understand and agree that my personal\r\ndata will be collected and processed\r\naccording to the Privacy Policy*\r\n \r\nContact\r\nhttps://www.group-ib.com/blog/hunting-sidewinder/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/hunting-sidewinder/" ], "report_names": [ "hunting-sidewinder" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434546, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e32d494558bf8022af8e3647247dd9579f5bc01.pdf", "text": "https://archive.orkl.eu/0e32d494558bf8022af8e3647247dd9579f5bc01.txt", "img": "https://archive.orkl.eu/0e32d494558bf8022af8e3647247dd9579f5bc01.jpg" } }