{
	"id": "d8d3c2e2-a70c-4060-9dc7-b3dc20a1241d",
	"created_at": "2026-04-06T00:21:49.933584Z",
	"updated_at": "2026-04-10T13:13:01.432824Z",
	"deleted_at": null,
	"sha1_hash": "157d2c8f31bc91b72da6a1c630170b96ea1ddd3e",
	"title": "SideWinder, Rattlesnake - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70403,
	"plain_text": "SideWinder, Rattlesnake - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 16:21:23 UTC\nHome \u003e List all groups \u003e SideWinder, Rattlesnake\n APT group: SideWinder, Rattlesnake\nNames\nSideWinder (Kaspersky)\nRattlesnake (Tencent)\nRazor Tiger (CrowdStrike)\nT-APT-04 (Tencent)\nAPT-C-17 (Qihoo 360)\nHardcore Nationalist (?)\nHN2 (?)\nAPT-Q-39 (?)\nBabyElephant (?)\nGroupA21 (?)\nG0121 (MITRE)\nCountry India\nMotivation Information theft and espionage\nFirst seen 2012\nDescription\n(Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence t\nmalware might be authored by an Indian company. To spread the malware, they use unique implementations to lever\nexploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stage\nObserved\nSectors: Defense, Government, Maritime and Shipbuilding.\nCountries: Afghanistan, Bangladesh, Bhutan, Cambodia, China, Djibouti, Egypt, Maldives, Myanmar, Nepal, Pakista\nLanka, Turkey, UAE, Vietnam.\nTools used BroStealer, callCam, Capriccio RAT.\nOperations performed\nMar 2019\nFirst Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT\nJun 2021\nOld Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021\nMar 2022\nSideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to\nmiddle of March.\nMay 2022\nGroup-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a cust\nthe APT group SideWinder\nNov 2022\nSideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now\nTurkey\n\nsea\u003e\n2024\nSideWinder targets the maritime and nuclear sectors with an updated toolset\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d4ae207-898e-4cb8-9d60-8bfa060abf42\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d4ae207-898e-4cb8-9d60-8bfa060abf42\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5d4ae207-898e-4cb8-9d60-8bfa060abf42"
	],
	"report_names": [
		"showcard.cgi?u=5d4ae207-898e-4cb8-9d60-8bfa060abf42"
	],
	"threat_actors": [
		{
			"id": "031ca94c-6a81-4cdc-b0d4-2f6d388801eb",
			"created_at": "2022-10-25T16:07:24.100451Z",
			"updated_at": "2026-04-10T02:00:04.866192Z",
			"deleted_at": null,
			"main_name": "Razor Tiger",
			"aliases": [],
			"source_name": "ETDA:Razor Tiger",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e",
			"created_at": "2023-01-06T13:46:39.080551Z",
			"updated_at": "2026-04-10T02:00:03.206572Z",
			"deleted_at": null,
			"main_name": "RAZOR TIGER",
			"aliases": [
				"APT-C-17",
				"T-APT-04",
				"SideWinder"
			],
			"source_name": "MISPGALAXY:RAZOR TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6b9fc913-06c6-4432-8c58-86a3ac614564",
			"created_at": "2022-10-25T16:07:24.185236Z",
			"updated_at": "2026-04-10T02:00:04.893541Z",
			"deleted_at": null,
			"main_name": "SideWinder",
			"aliases": [
				"APT-C-17",
				"APT-Q-39",
				"BabyElephant",
				"G0121",
				"GroupA21",
				"HN2",
				"Hardcore Nationalist",
				"Rattlesnake",
				"Razor Tiger",
				"SideWinder",
				"T-APT-04"
			],
			"source_name": "ETDA:SideWinder",
			"tools": [
				"BroStealer",
				"Capriccio RAT",
				"callCam"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "173f1641-36e3-4bce-9834-c5372468b4f7",
			"created_at": "2022-10-25T15:50:23.349637Z",
			"updated_at": "2026-04-10T02:00:05.3486Z",
			"deleted_at": null,
			"main_name": "Sidewinder",
			"aliases": [
				"Sidewinder",
				"T-APT-04"
			],
			"source_name": "MITRE:Sidewinder",
			"tools": [
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/157d2c8f31bc91b72da6a1c630170b96ea1ddd3e.pdf",
		"text": "https://archive.orkl.eu/157d2c8f31bc91b72da6a1c630170b96ea1ddd3e.txt",
		"img": "https://archive.orkl.eu/157d2c8f31bc91b72da6a1c630170b96ea1ddd3e.jpg"
	}
}