The distinctive rattle of APT
SideWinder
Bridewell and Group-IB expose the APT’s unknown infrastructure
May 17, 2023 · 14 min to read · Advanced Persistent Threats
← Blog
Nikita Rostovcev
APAC Technical Head - ASM, TI & DRP
https://www.group-ib.com/blog/hunting-sidewinder/
Page 1 of 29

APT SideWinder Threat Hunting Threat Intelligence
Introduction
In February 2023, Group-IB’s Threat Intelligence team released a technical report about previously
unknown phishing attacks conducted by the APT group SideWinder:
Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021. As
always, Group-IB customers and partners were the first to get access to the report through the
interface of Group-IB’sThreat Intelligence platform.
One of them was Bridewell, a leading cyber security services company based in the UK and a long-standing MSSP partner of Group-IB in Europe. Our colleagues from Bridewell have been using
Group-IB’s Threat Intelligence, Digital Risk Protection, and Attack Surface Management solutions to
support the cybersecurity services they offer to its customers.
Bridewell’s in-house threat intelligence experts read Group-IB’s report on SideWinder and came up
with their own significant findings about SideWinder. The Bridewell team shared this information
with our Threat Intelligence unit, which led to this joint blog post. By bringing together the research
capabilities of both companies, we developed and described new hunting methods so that we
could track one of the most prolific APT groups more efficiently.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 2 of 29

Group-IB and Bridewell’s joint research describes how to use publicly available tools to monitor
known SideWinder infrastructure and reveals new malicious servers that could be used in future
attacks.
This blog post provides details of previously unknown infrastructure belonging to APT
SideWinder. In addition, Group-IB and Bridewell researchers share hunting rules for Shodan to
help cybersecurity specialists, threat hunters, and corporate cybersecurity teams pre-empt and
prevent SideWinder attacks.
Join the Cybercrime Fighters Club
The global fight against cybercrime is a collaborative
effort, and that’s why we’re looking to partner with
industry peers to research emerging threats and publish
joint findings on our blog. If you’ve discovered a
breakthrough into a particular threat actor or a
vulnerability in a piece of software, let us know at
blog@group-ib.com, and we can mobilize all our necessary
resources to dive deeper into the issue. All contributions
will be given appropriate credit along with the full backing
of our social media team on Group-IB’s Threat Intelligence Twitter
page, where we regularly share our latest findings into
threat actors’ TTPs and infrastructure, along with our
other social media accounts.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 3 of 29

Acknowledgements: We would like to thank Dmitry Kupin for contributing to this blog post.
Key findings
SideWinder’s servers can be detected using several hunting rules described in this blog post.
Group-IB and Bridewell detected 55 previously unknown IP addresses that SideWinder could
use in future attacks.
The identified phishing domains mimic various organizations in the news, government,
telecommunications, and financial sectors.
SideWinder uses the identified servers as A records for domains that mimic government
organizations in Pakistan, China, and India. These domains are listed in the “
Who are SideWinder’s potential targets?” section of this blog post.
We discovered an APK sample for Android devices. The sample is similar to one mentioned in
Group-IB’s blog post SideWinder.AntiBot.Script.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 4 of 29

Tracking SideWinder’s infrastructure
Description of hunting rules
For several years, SideWinder has been using a unique method of deploying and maintaining its
malicious servers. The APT’s infrastructure is distinct in that servers always return a response with
the 404 status code and the Not Found content when the root page is accessed.
Malicious content is returned only if the victim follows a special link received through either phishing
emails or phishing posts on social media (for example in dedicated Facebook groups). SideWinder’s
network infrastructure can be tracked using the search engines Shodan and Censys if unique
parameters are set correctly.
Our research focuses on 119 IP addresses, which can be divided into two categories: the first one
comprises the APT’s known IP addresses, while the second category covers the group’s IP
addresses that have not been publicly revealed before. A table with all network indicators can be
found at the end of this blog post.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 5 of 29

Shodan hunting rules
SideWinder’s infrastructure can be tracked by using the hunting rules described below in Shodan.
We describe infrastructure links based on these queries.
Using these hunting rules, Group-IB and Bridewell specialists discovered 119 IP addresses that
they attributed to SideWinder, 64 of which were either known to us or mentioned in public
descriptions of the group’s attacks. The other 55 IP addresses belonging to SideWinder have
not been described before.
Known IP addresses
Based on the data obtained using the hunting rules, the following IP addresses and domains were
identified. These are publicly known addresses used by SideWinder and are mentioned here to
show that the hunting rules used are accurate.
IP Hostname
149.154.152.37
paf-govt[.]net
bluedoor[.]click
151.236.21.16 kito.countpro[.]info
158.255.211.188 mofs-gov[.]org
161.129.64.98 msoft-updt[.]net
172.93.162.121 paf-govt[.]info
172.93.189.46 hread[.]live
172.96.189.243 prol[.]info
https://www.group-ib.com/blog/hunting-sidewinder/
Page 6 of 29

185 11790 144 ortra[ ]tech
Previously unknown IP addresses
This section lists the IP addresses and domains that were unknown at the time of our analysis. We
have attributed them with high confidence to SideWinder. We believe that the threat actors could
potentially use this infrastructure in future attacks.
104.128.189.242 cpec[.]site
138.68.160.176
sindhpolice-govpk[.]org
sbp-pk[.]org
helpdesk-gov[.]info
149.154.154.216 shortney[.]org
149.154.154.65 storeapp[.]site
151.236.14.56 reth.cvix[.]cc
151.236.21.70 ptcl-gov[.]org
151.236.25.121
insert.roteh[.]site
active.roteh[.]site
151.236.5.250 ailyun[.]live
All the listed IP addresses were found using hunting rules that we created and have provided in the
“Shodan hunting rules” section. Furthermore, two domains from this list (storeapp[.]site and
ridlay[.]live) are linked to SideWinder’s known infrastructure through the use of identical
registration data in WHOIS records, as shown by Group-IB’s Threat Intelligence platform:
https://www.group-ib.com/blog/hunting-sidewinder/
Page 7 of 29

https://www.group-ib.com/blog/hunting-sidewinder/
Page 8 of 29

The screenshot shows that the domains fia-gov[.]com, hread[.]live, cplix[.]live, govpk-mail[.]org,
appsrv[.]live, ridlay[.]live, bismillah[.]tech, and storeapp[.]site are interrelated — they use of the same
values in WHOIS records (13th street auckland) and similar registration data.
Related files
Analysis of SideWinder’s network infrastructure revealed files related to it. The files are listed in the
table below.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 9 of 29

File name
Malware
type
SHA-1 URL
LKGOD.docx
Malicious
document
e4a8e4673ebfba0cea2d9755535bc93896b44183 hxxs://paknavy[.]
Product.docx
Malicious
document
53a1b84d67b8be077f6d1dd244159262f7d1a0f9 hxxps://cstc-spa
Leakage of
Sensitive
Data on Dark
Web.docx
Malicious
document
59f1d4657244353a156ef8899b817404fd7fedad hxxps://mtss[.]bo
GUIDELINES
FOR
JOURNAL –
2023
PAKISTAN
NAVY WAR
Malicious
document
fcc2d69a02f091593bc4f0b7d4f3cb5c90b4b011 hxxs://pnwc[.]bo
All the files in the table above are part of the first attack stage, which is intended for downloading
the payload (the next stage). At the time of analysis, the payload was not obtained. Below we look at
the files listed in the table in more detail.
LKGOD.docx
The malicious file LKGOD.docx was discovered in March 2023 by a Twitter user with the handle
@StopMalvertisin.
The file was uploaded to VirusTotal for the first time on March 21, 2023 at 06:46:34 UTC from
Pakistan (the city of Islamabad, source: the Web).
File contents (decoy):
https://www.group-ib.com/blog/hunting-sidewinder/
Page 10 of 29

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template:
hxxs://paknavy[.]defpak[.]org/5973/1/8665/2/0/0/0/m/files-f8fd19ec/file.rtf
Product.docx
The malicious file Product.docx was also discovered in March 2023 by the Twitter user
@StopMalvertisin. 
The file was uploaded to VirusTotal on March 10, 2023 at 05:14:05 UTC from Pakistan (the city of
Karachi, source: the Web)
File contents (decoy):
https://www.group-ib.com/blog/hunting-sidewinder/
Page 11 of 29

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template:
hxxps://cstc-spares-vip-163[.]dowmload[.]net/14668/1/1228/2/0/0/0/m/files-403a1120/file.rtf
https://www.group-ib.com/blog/hunting-sidewinder/
Page 12 of 29

Leakage of Sensitive Data on Dark Web.docx
The malicious file Leakage of Sensitive Data on Dark Web.docx was also discovered by
@StopMalvertisin.
The file was uploaded to VirusTotal on March 10, 2023 at 05:21:10 UTC from Pakistan (the city of
Karachi, source: the Web).
File contents (decoy):
It is worth noting that the contents of the document are identical to those of LKGOD.docx.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 13 of 29

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template:
hxxps://mtss[.]bol-south[.]org/5974/1/8682/2/0/0/0/m/files-b2dff0ca/file.rtf
GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).docx
The malicious file GUIDELINES FOR JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE
(PNWC).docx was discovered by the Twitter user @RedDrip7.
The file was uploaded to VirusTotal for the first time on November 30, 2022 at 10:17:20 UTC from the
UK (city unknown, source: the Web).
File contents (decoy):
https://www.group-ib.com/blog/hunting-sidewinder/
Page 14 of 29

In /word/_rels/document.xml.rels, the malicious document contains a link to download a template:
hxxs://pnwc[.]bol-north[.]com/5808/1/3686/2/0/0/0/m/files-a2e589d2/file.rtf
公管学院关于11月22日起工作安排调整的通知.docx.lnk
The malicious file 公管学院关于11月22日起工作安排调整的通知.docx.lnk was discovered by the user
@Axel_F5:
This LNK file is contained in the archive 公管学院关于11月22日起工作安排调整的通知.zip, which was
distributed via email:
https://www.group-ib.com/blog/hunting-sidewinder/
Page 15 of 29

The archive
公管学院关于11月22日起工作安排调整的通知.zip was uploaded to VirusTotal for the first
time on November 24, 2022 at 13:43:55 UTC from China (the city of Beijing, source: the Web).
Launching the LNK file executes the following command:
Email subject: 公共管理学院关于11月22日起工作安排调整的通知 (Notice of the School of Public
Administration on the adjustment of work arrangements from November 22)
Sender: 陈蕾 (Chen Lei) sppmdw@mail[.]tsinghu[.]edu[.]cn[.]aliyu[.]co
https://www.group-ib.com/blog/hunting-sidewinder/
Page 16 of 29

The LNK file creates a copy of %Windows%\System32\mshta.exe with the name
%ProgramData%\jkli.exe and launches jkli.exe (mshta.exe) to download and execute an HTA file,
which is located at hxxps://mailtsinghua[.]sinacn[.]co/3679/1/55554/2/0/0/0/m/files-94c98cfb/hta.
We came across a similar archive earlier, virus student Data Base 8 (1).zip, which was uploaded to
VirusTotal on October 16, 2022 at 17:55:40 UTC from Sweden (the city of Stockholm, source: the
Web). Like in the previous case, the target of SideWinder’s attack may have been Tsinghua
University, one of the leading universities in China (tsinghua.edu.cn).
It is worth noting that the LNK file 公管学院关于11月22日起工作安排调整的通知.docx.lnk was added to
the archive 公管学院关于11月22日起工作安排调整的通知.zip on November 22, 2022, while the LNK file
student Data Base 8.pdf.lnk was added to the archive virus student Data Base 8 (1).zip on March 3,
2022.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 17 of 29

A similar LNK file, student Data Base 8.pdf.lnk, launches mshta.exe and downloads and executes an
HTA file located at
hxxps://mail[.]tsinghua[.]institute/3206/1/25395/2/0/1/1863616521/3DIm0LGMztTur2KVczxFjB36rLfwn
5b71f8ef/hta (the domain: mail[.]tsinghua[.]institute).
रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk
The malicious file रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk was discovered by a Twitter user
with the handle @jaydinbas.
The LNK रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk is contained in an archive (whose original
name is unknown) that was uploaded to VirusTotal on November 24, 2022 at 10:15:01 UTC from
Nepal (the city of Kathmandu, source: Community).
Launching the LNK executes the following command:
https://www.group-ib.com/blog/hunting-sidewinder/
Page 18 of 29

The LNK creates a copy of %Windows%\System32\mshta.exe with the name
%ProgramData%\jkli.exe and launches jkli.exe (mshta.exe) to download and execute an HTA file
located at hxxps://mailv[.]mofs-gov[.]org:443/3669/1/24459/2/0/1/1850451727/6JOo39NpphBz5V3XOKZff9AGJH3RNAJuLvBQptc1
94603e7f/hta. This LNK file is similar to the LNK file 公管学院关于11月22日起工作安排调整的通
知.docx.lnk mentioned above.
The LNK रा ष्ट्रि य गौ रवका आयो जना अध्ययन प्रति वेदन, २०७९.docx.lnk was added to the archive on November 23,
2022.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 19 of 29

226617
Analysis of the group’s infrastructure by Bridewell specialists revealed a malicious APK file, 226617,
which was uploaded to VirusTotal on March 23, 2023 at 09:34:02 UTC from Sri Lanka (the city of
Colombo, source: the Web). The Group-IB team analyzed the sample.
The APK file 226617 is an Android application disguised as the game Ludo.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 20 of 29

The application is a downloader type of malware that downloads the encrypted payload at
hxxps://games[.]srv-app[.]co/669/1/1970/2/0/0/1764305594/2X1R9Tw7c5eSvLpCCwnl0X7C0zhfHLA6RJzJ0ADS/file
82dfc144/appxed. The payload is a DEX file, launched using the class DexClassLoader.
The link is Base64-encoded and encrypted using the AES-256 ECB algorithm with the key {7e 51 73
44 54 49 ac a1 fe 99 25 f3 25 29 58 e3 5a 45 7c cd 89 d4 87 78 34 3f b2 df c2 60 2c 21} (32 bytes).
Example of the link decrypted in CyberChef:
In addition, the malware has an autostart functionality when the targeted mobile device loads. It is
worth noting that the application partially matches and has similar functionalities to the code of the
application Secure VPN_3.9_apkcombo.com.apk (SHA-1:
c6effe7fcd87f643aebc427e127dd7b00865eafd), which was discovered by Group-IB Threat
Intelligence experts in as early as 2021.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 21 of 29

Experts at Qi An Xin have described SideWinder’s Android applications with similar code. Their
analysis also mentions the application Secure VPN_3.9_apkcombo.com.apk. Moreover, previous
samples featured a similar domain, register[.]srvapp[.]co (games[.]srv-app[.]co in our case).
The two applications, 226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4) and
Secure VPN_3.9_apkcombo.com.apk (SHA-1: c6effe7fcd87f643aebc427e127dd7b00865eafd) are
compared below.
The matching apk_name value “Almighty Allah” in the applications’ string resources
Checking root privileges on a mobile device:
Downloading the DEX file using a URL:
226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4)
226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4)
https://www.group-ib.com/blog/hunting-sidewinder/
Page 22 of 29

A DEX file being loaded into device memory:
List of permissions checked:
Saving the file downloaded from the command-and-control (C2) server as
“/data/data/<package_name>/files/fex/permFex/8496eac3cc33769687848de8fa6384c3”:
226617.apk (SHA-1: 779451281e005a9c050c8720104f85b3721ffdf4)
https://www.group-ib.com/blog/hunting-sidewinder/
Page 23 of 29

Hosting infrastructure
This graph shows the distribution of malicious domains by hosting service provider, for providers
known to be used by SideWinder.
https://www.group-ib.com/blog/hunting-sidewinder/
Page 24 of 29

SideWinder often registers domains whose URL addresses mimic various organizations in Pakistan
and China. In June 2022, Group-IB specialists published a blog post (SideWinder.AntiBot.Script) in
which they described the group’s resources whose URLs mimic Pakistani organizations. It is worth
noting that website contents are sometimes drastically different from what the name suggests.
Who are SideWinder’s potential targets?
The domains discovered by Bridewell and Group-IB specialists suggest that SideWinder could have
planned attacks against financial and government organizations, as well as companies specialized in
e-commerce and mass media in Pakistan and China.
Sector Domain impersonation Legitimate domain Connection
Banking sbp-pk[.]org sbp.org.pk State Bank of Pakistan
Government
organizations
sindhpolice-govpk[.]org sindhpolice.gov.pk Sindh Police
punjabpolice-gov-pk.fia-gov[.]com
punjabpolice.gov.pk Punjab Police
fia-gov[.]com fia.gov.pk
Federal Investigation
Agency
mofs-gov[.]org mofa.gov.org
Ministry of Foreign
Affairs
paf-govt[ ]net pafgovpk Pak Air Force
Conclusion
https://www.group-ib.com/blog/hunting-sidewinder/
Page 25 of 29

SideWinder is among the most active and prolific threat actors out there. According to Group-IB,
between June and November 2021 the group may have targeted as many as 61 organizations in
Asia.
While investigating the threat actors, Group-IB’s and Bridewell’s threat intelligence specialists
identified and attributed a large part of the group’s infrastructure, namely 55 domains and IP
addresses. In addition, our analysis revealed phishing domains imitating news, finance, media,
government, and telecommunications companies.
A close look at the infrastructure used by any group will almost always help with writing hunting
rules that can be then used to learn about that group’s attacks in the making and respond to them
preemptively. The network indicators provided in this blog post can be used to protect against
SideWinder proactively and to search for new infrastructure used by the group.
Like many other APT groups, SideWinder relies on targeted spear phishing as the initial vector. It is
therefore important for organizations to deploy business email protection solutions that detonate
malicious content.
To enrich indicators of compromise and stay up to date with relevant threats, it is more effective to
use threat intelligence solutions.
If your company’s specialists analyze the activity of this or any other APT group, we would be
happy to conduct a joint analysis and publish it on our blog.
#FightAgainstCybercrime
#WeStopAttackers
Strengthen your security posture with
Group-IB Threat Intelligence
Use unique threat intelligence data to prevent attacks
https://www.group-ib.com/blog/hunting-sidewinder/
Page 26 of 29

You might also like:
SideWinder.AntiBot.Script. APT SideWinder’s new tool that narrows their reach to Pakistan
Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021
SimpleHarm: Tracking MuddyWater’s infrastructure
Indicators
185.205.187.234
pk.downld[.]net
paknavy-gov-pk.downld.net
downld[.]net
104.128.189.242 cpec[.]site
138.68.160.176
sindhpolice-govpk[.]org
sbp-pk[.]org
helpdesk-gov[.]info
149.154.152.37
paf-govt[.]net
bluedoor[.]click
149.154.154.216 shortney[.]org
149.154.154.65 storeapp[.]site
151.236.14.56 reth.cvix[.]cc
Request a demo
https://www.group-ib.com/blog/hunting-sidewinder/
Page 27 of 29

Share this article
Found it interesting? Don't hesitate to share it to wow your friends or colleagues
Resources
Research Hub
Success Stories
Knowledge Hub
Certificates
Webinars
Podcasts
TOP Investigations
Ransomware Notes
AI Cybersecurity Hub
Products
Threat Intelligence
Fraud Protection
Managed XDR
Attack Surface Management
Digital Risk Protection
Business Email Protection
Cyber Fraud Intelligence
Platform
Unified Risk Platform
Integrations
Partners
Partner Program
MSSP and MDR Partner
Program
Technology Partners
Partner Locator
Company
About Group-IB
Team
CERT-GIB
Careers
https://www.group-ib.com/blog/hunting-sidewinder/
Page 28 of 29

Internship
Academic Aliance
Sustainability
Media Center
Contact
APAC: +65 3159 3798
EU & NA: +31 20 226 90 90
MEA: +971 4 568 1785
info@group-ib.com
© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers
around the world by preventing breaches, eliminating fraud and protecting brands.
Terms of Use Cookie Policy Privacy Policy
Subscription plans Services Resource Center
Subscribe to stay up to date with the
latest cyber threat trends
Business Email*
I understand and agree that my personal
data will be collected and processed
according to the Privacy Policy*
 
Contact
https://www.group-ib.com/blog/hunting-sidewinder/
Page 29 of 29