{ "id": "b8b65e86-5d7f-4b57-9e3d-c1f9f2a670de", "created_at": "2026-04-06T00:13:58.251397Z", "updated_at": "2026-04-10T13:12:01.364474Z", "deleted_at": null, "sha1_hash": "2e5f6913d6d733eaadbca5616815ec02ae2b3883", "title": "Tracking APT SideWinder Domains By Combining Regex Patterns, Whois Records and Domain Registrars", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5085158, "plain_text": "Tracking APT SideWinder Domains By Combining Regex\r\nPatterns, Whois Records and Domain Registrars\r\nBy Matthew\r\nPublished: 2024-05-23 · Archived: 2026-04-05 15:15:23 UTC\r\nThreat Actors often leverage domain-based infrastructure to host and facilitate malicious operations. When actors\r\ndeploy these new domains, they often leave patterns that can be used to signature the infrastructure and link it to\r\npast known activity. \r\nDeveloping these signatures can be difficult, and there is little public documentation on how they can be\r\nperformed. Today, we will look into a single domain indicator shared on X/Twitter and show you how to analyse it\r\nfor patterns that lead to 36 additional domains. \r\nOur final analysis will review these domains and link them with high confidence to public reports on APT\r\nSideWinder. \r\nOverview\r\nBefore jumping in, here's a summary of what we'll cover in this blog.\r\nObtaining initial intelligence (Domain) From Twitter/X\r\nAnalysing the domain to find a pivot point\r\nPivoting on regular expressions, dates and domain registrars\r\nAdjusting pivots to identify additional domains\r\nParsing data output with CyberChef and JPATH\r\nEnriching output with WHOIS records\r\nEstablishing patterns in subdomains\r\nObtaining public intelligence reports to assist attribution\r\nUsing public reports to link activity to APT SideWinder\r\nInitial Intelligence\r\nOur initial investigation begins with a single domain indicator shared by DocGuard in a recent post on X. \r\nNote the domain's name of docs.mofa-services-server[.]top and consider that MOFA is an acronym for\r\n“Ministry of Foreign Affairs”. This will become important later. \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 1 of 24\n\nOur initial indicator is a domain, so we can begin with domain-based analysis, such as a passive DNS lookup.\r\nThe aim here is to obtain historical records of IP addresses to which the domain has resolved. We want to use the\r\nIP addresses to find other domains associated with the same IP infrastructure. \r\nExecuting A Pivot On Our Initial Domain\r\nRunning a passive DNS lookup in SilentPush, reveals that the domain currently resolves to an IP address of\r\n188.114.97[.]3 . This IP is hosted by CloudFlare on ASN 13335 . \r\nCloudFlare is a commercial and \"legitimate\" reverse proxy for network infrastructure. In the context of\r\nThreat investigations, Cloudflare effectively acts as a way of anonymising infrastructure as the\r\nattackers “real” server is hidden behind the CloudFlare proxy.\r\nSince CloudFlare proxies are often shared between thousands of unrelated customers. This complicates\r\nthe analysis process and hence it is regularly utilised by malicious actors.\r\nWe can try to find related domains by performing a passive DNS lookup for 188.114.97[.]3 , this will reveal any\r\ndomains that have resolved to the same address. \r\nBelow is the passive DNS lookup for 188.114.97[.]3 , showing a large number of unrelated domains.\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 2 of 24\n\nOur screenshot above reveals that 801666666 domains have resolved to the same address. \r\nAs mentioned prior, this huge number of related domains is due to the usage of CloudFlare. We can narrow down\r\nthe results by applying additional filters, but the number of results may still be in the 10’s of thousands. Hence, we\r\nattempted a similar pivot on the parent domain to establish any easier patterns. \r\nSince the parent domain is likely to be owned and controlled by the same actor, it can occasionally serve as a more\r\naccessible and more helpful pivot point.\r\nExecuting a Pivot On Our Parent Domain\r\nSince pivoting on the initial docs subdomain had way too many results, we performed a similar lookup on the\r\nparent domain of mofa-services-server[.]top .\r\nParent domains aren’t always given the same protection as subdomains, and since they are typically controlled by\r\nthe same actor, they serve as a far more helpful pivot point. \r\nThe parent domain of mofa-services-server[.]top has only one known IP of 91.195.240[.]123 , which is\r\nhosted on SEDO with ASN 47846 , and was first seen on 2024-03-20 .\r\nA passive DNS lookup on this new IP 91.195.240[.]123 will allow us to determine any domains that have\r\nshared the same address. \r\nPerforming this lookup identifies 770427 related domains. This is a huge number but significantly less than that\r\nof the original CloudFlare IP. \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 3 of 24\n\nSince this is still a vast number, we can leverage regular expressions to apply additional filtering to narrow down\r\nour results. Performed correctly, this can significantly reduce the number of related domains to a manageable\r\nnumber. \r\n(In this case, regular expressions will reduce the 770427 results down to only 6)\r\nBuilding An Advanced Threat Intelligence Query\r\nAn advanced query allows us to apply specific filters that will significantly reduce the number of results. Before\r\nwe can do this, we need to establish what exactly we will filter on.\r\nConsider that we know the following information about mofa-services-server[.]top\r\nIt's hosted on 91.195.240[.]123\r\nIt uses a .top Top Level Domain\r\nThe domain name contains three words, separated by hyphens\r\nThe domain was first observed on 2024-03-20\r\nAn advanced query allows us to provide this information through date filters, network filters, and regular\r\nexpressions.  The below parameters are how they can be applied in SilentPush.\r\n91.195.240[.]123 can be applied as a qanswer filter. \r\nTLD ( .top ) can be applied as \\.top$ to the end of a domain_regex\r\nThree words, separated by hyphens, can be applied as ^[a-z]{1,}\\-[a-z]{1,}\\-[a-z]{1,} at the\r\nbeginning of the domain_regex\r\nThe first observed date can be applied as first_seen_after=2024-03-18 and first_seen_before=2024-\r\n03-22 , this allows for +- 2 days of buffer on either side.\r\nThe complete regular expression used here is ^[a-z]{1,}\\-[a-z]{1,}\\-[a-z]{1,}\\.top$ and if you are using\r\nSilentPush, the advanced query can be found in Advanced Query Builder -\u003e PADNS Queries -\u003e Live\r\nUnsanctioned Assets Lookup)\r\nBelow we can see what this looks like with the filters applied.\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 4 of 24\n\nApplying these filters cuts the results down to only 7 domains. This is a great number and is significantly lower\r\nthan the 770427 initially associated with the same IP 91.195.240[.]123 . This means our filters were able to cut\r\nout 770420 results. \r\nThe 7 resulting domains contain recurring “PK” (Pakistan) themes and common acronyms for Government\r\nagencies. \r\nGovernment themes were observed in our initial mofa-services-server[.]top indicator through mofa\r\n(Ministry of Foreign Affairs). \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 5 of 24\n\nParsing JSON Data With CyberChef and JPATH\r\nThe results are returned in JSON format and contain a huge amount of information. We only need the resulting\r\ndomains (for now), so we can use Python or CyberChef to extract the domain field. \r\nFor the sake of simplicity, we leveraged CyberChef and a JPath expression to filter the JSON output to return the\r\n7 resulting domains.\r\nWe achieved this with a JPath expression of response.records[*].query\r\n(If you're unfamiliar with JPath, here is an excellent tutorial for understanding it)\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 6 of 24\n\nThe 7 resulting domains can be seen clearly below.\r\nThe 7 domains have a recurring theme of Pakistan and Government agencies. We can also observe a recurring\r\ntheme of IT Support services through mentions of updates, server, download and services.  \r\n(Later we'll see how these are TTPs of APT SideWinder)\r\nPK - Shortening of Pakistan\r\nNITB - National Information Technology Board\r\nMOFA - Ministry of Foreign Affairs\r\nGoverment - Misspelling of Government\r\nCabinet - Decision-making arm of the Government\r\nThese similarities indicate that the domains are related and that we’re onto something, especially given they share\r\nthe same IP address and have close registration dates (as required by our filters)\r\nSo far, the domains share the same IP infrastructure, same naming schemes and similar registration dates. We can\r\nbuild on this and establish further commonalities, such as domain registrars, subdomains and associated files. \r\nEnriching Domains With WHOIS Records\r\nOne method we can use to establish further commonalities is to perform WHOIS lookups on the domains. A\r\nWHOIS lookup will provide information about who registered the domains and which domain registrar they were\r\nregistered with.\r\nIf the same domain registrar and registration information can be seen across multiple domains, this can be an\r\nindication that the domains are related. \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 7 of 24\n\nMany services (such as WHOIS) can perform these lookups but are limited to individual searches. We will\r\nleverage SilentPush for our lookups, as it supports bulk searches and significantly speeds up our process. \r\nIf you are using SilentPush, bulk lookups can be performed with Advanced Query Builder -\u003e\r\nEnrichment Queries -\u003e Domain Bulk\r\nAfter exporting the resulting JSON and parsing it with CyberChef, we can see that 6/7 of the domains were\r\nregistered with NameSilo on 2024-03-19 with exact registration times within minutes of each other. \r\nOne of the resulting domains luxury-get-away[.]top features a different naming theme and registration time.\r\nFor the purposes of this blog, we will ignore this domain for the remainder of this analysis. \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 8 of 24\n\nWe now had 6 related domains, 5 of which were new and discovered through pivoting.\r\nConsider that our analysis established these commonalities between the 6 domains. \r\n1. Same theme of Government Entities and Pakistan\r\n2. Same naming pattern (3 words separated by hyphens)\r\n3. Same Top Level Domain of .top\r\n4. Same registration provider of NameSilo\r\n5. Same IP address 91.195.240[.]123 (and hence, the same ASN 47846 )\r\n6. Same registration date 2024-03-19 and registration times between 04:09 and 04:11\r\nPivoting To Additional Domains\r\nWith 6 domains and 6 commonalities between them, we had a strong base to begin performing additional pivots.  \r\nWe expanded our search by making the following adjustments to our query. \r\nRelaxing the IP requirement to allow for any IP hosted on SEDO/47846 ,\r\nRequiring NITB, PK or Pakistan keywords in our regex\r\nRelaxing the date requirements to any time after 2024-03-01 . \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 9 of 24\n\nAdding a registrar requirement of NameSilo\r\nRelaxing the TLD requirements  (Any TLD, not just .top )\r\nApplied as an advanced search in SilentPush, this translated to\r\nPakistan keywords, domain_regex=^([^\\.]{1,}\\-|)(nitb|pk|paki(stan|))(\\-[^\\.]{1,}|)\\.[a-z]{1,}$\r\nRegistered with NameSilo registrar=NameSilo\r\nRegistered after March 2024 whois_date_after=2024-03-01\r\nHosted on SEDO/47846 , asnum=47846\r\nHosted on any Top Level Domain \\.[a-z{1,}$ (located at the end of our domain_regex)\r\nIn SilentPush, this is an advanced domain search which can be found under Advanced Query Builder -\r\n\u003e Domain Queries -\u003e Search.\r\nAlso, we'd like to extend a special thanks to the SilentPush research team who helped with this section.\r\nAfter running the search and filtering the JSON output, we obtained five results.\r\nTwo of these results were not present in our initial search. This meant that we now had a total of 8 domains related\r\nto our initial indicator.\r\nThe two new domains were largely thanks to our relaxation of the Top-Level-Domain requirements.\r\nThe new domains correspond to\r\nGovt-pk[.]com\r\nMoma-gov-pk[.]org\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 10 of 24\n\nWe now had three additional keywords that we could use to expand our search again. These keywords correspond\r\nto gov, govt and moma (Ministry of Maritime Affairs)\r\nWe then executed another advanced domain search, identical to before but now with a new regular expression.\r\nGovernment Themes in domain name, domain_regex=^([^\\.]{1,}\\-|)(gov(t|erment|)|moma)(-[^\\.]\r\n{1,}|)\\.[a-z]{1,}$\r\nRegistered with NameSilo registrar=NameSilo\r\nRegistered after March 2024 whois_date_after=2024-03-01\r\nHosted on SEDO/47846 , asnum=47846\r\nHosted on any Top Level Domain \\.[a-z{1,}$\r\nUpdating the previous query to this regex returned 11 results. These results continued the theme of government\r\nentities, with references to \r\nNCSC (Possibly National Centre for Cyber Security)\r\nMOHRE (Ministry of Human Rights)\r\nIRS (Internal Revenue Service)\r\nPPY (possibly Pakistan Patriotic Youth)\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 11 of 24\n\nThe results demonstrated a new recurring naming theme of govpk and gov-pk , so we again modified the\r\nregular expression to target these domain themes.\r\nGov/Gov-pk keywords in the domain name, domain_regex=^([^\\.]{1,}\\-|)(gov\\-pk|govpk)(-[^\\.]\r\n{1,}|)\\.[a-z]{1,}$\r\nRegistered with NameSilo registrar=NameSilo\r\nRegistered after March 2024 whois_date_after=2024-03-01\r\nHosted on SEDO/47846 , asnum=47846\r\nHosted on any Top Level Domain \\.[a-z{1,}$ (end of domain_regex)\r\nExecuting this new query returned 3 results, two of them are new and feature government entities listed below.  \r\nPaknavy (Pakistan Navy)\r\nDGPS (Directorate General Ports and Shipping)\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 12 of 24\n\nSo far, all of our searches have required the domain to be associated with an ASN number of SEDO/47846 .\r\nOne method we used to identify additional domains was to relax the ASN requirement whilst maintaining the\r\nother parameters.\r\nWe repeated this for all of our searches, with one in particular bringing in new results. \r\nAny domain name containing gov ,gov-pk or govpk and hyphens domain_regex =^([^\\.]{1,}\\-|)(gov\\-\r\npk|govpk)(-[^\\.]{1,}|)\\.[a-z]{1,}$\r\nHosted on any Top Level Domain (The final \\.[a-z]{1,}$ in our regex)\r\nHosted on any Autonomous System (removal of the asnum parameter)\r\nRegistered with NameSilo\r\nRegistered after 2024-03-01\r\nExecuting the search with new parameters provided 9 domains, multiple of which were new and continued the\r\ntheme of impersonating Pakistan Government entities.\r\nEP  - Express Mail Track \u0026 Trace System\r\nNADRA - National Database and Registration Authority\r\nPTA - Pakistan Telecommunication Authority\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 13 of 24\n\nWe can continue to use the same concept of relaxing and adjusting parameters to identify additional\r\ndomains. However, to keep this post from getting too long (there are infinite possible pivots), we’ve\r\ndecided to leave the pivoting section here and continue with our currently identified domains. \r\nResults from our additional pivots will be included in the final IOC section of this post\r\nEstablishing Patterns in Subdomains\r\nRecall that the initial domain shared by DocGuard had the primary malicious activity under the docs subdomain\r\nof docs.mofa-services-server[.]top\r\nWe wanted to see if our new domains had any such subdomains which could establish a further pattern linking the\r\nactivity to the initial domain.\r\nRecall the docs.mofa-services-server[.]top domain shared by DocGuard. The docs subdomain was first\r\nseen on 2024-05-01 , approximately 6 weeks after the parent domain was first registered.\r\nIf you are using SilentPush, this search can be found under Advanced Query Builder -\u003e PADNS Queries\r\n-\u003e Subdomain Records\r\nWe ran an identical search for our documents-server-pk[.]top domain, which revealed a similar pattern where a\r\npmo subdomain was created approximately 6 weeks after the parent domain first appeared.\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 14 of 24\n\nOne theory is that the Threat Actor is “sitting” on parent domains and then performing malicious\r\nactivity via subdomains at a later date. This may be to avoid domain-based filtering that blocks or alerts\r\non recently registered infrastructure (\u003c30 days old) . \r\nRepeating the subdomain searches returned a total of 15 subdomains featuring Government themes and new\r\ngovernment entities of\r\nMOD (Ministry of Defense)\r\nECP (Election Commission of Pakistan)\r\nCTD (Counter Terrorism Department)\r\nLGCD (Local Government and Community Development)\r\nPUBAD (Ministry of Public Administration, Home Affairs and Provincial Councils). \r\nWe can see these themes in the screenshot below.\r\nOf additional interest here is that we see domains targeting Sri Lanka (lk) and Nepal, and that the majority of\r\nsubdomains exist under gov-pk[.]com , which is an impersonation of the legitimate domain gov[.]pk\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 15 of 24\n\nWe can also observe that pubad.gov.lk.govt-pk[.]com is an impersonation of the legitimate Sri Lankan domain\r\npubad.gov[.]lk\r\nMost of the identified parent domains did not have an associated subdomain. We believe this is likely due to the\r\n“waiting” that the actor is using after the parent domain is first created. \r\nAt the time of this writing, it had only been 6 days since the first malicious subdomains were observed.\r\nHence, we believe that the remaining subdomains had not yet been created. \r\nLinking Domains to APT SideWinder\r\nAt the time of this writing, we could not find any publicly available reports on our 37 newly identified domains. \r\nHowever, we found two extremely interesting reports by BlackBerry and Group-IB that detail 2023 activity of the\r\nIndian Advanced Persistent Threat (APT) known as SideWinder. This Threat Actor is known for targeting\r\nPakistan, Nepal and Sri Lanka. (All in line with the activity we observed so far)\r\nBoth reports provide the following details and TTP’s regarding the SideWinder group. \r\nPrimary targeting of South Asian countries bordering India\r\nHeavy usage of domains impersonating Government Entities\r\nHeavy targeting of Military and Government Entities\r\nHeavy usage of Initial Access via Weaponized Documents with Government Themes\r\nDomain Similarity, Government Entities and Primary Targeting of South Asian Countries \r\nThe BlackBerry report contains a list of known SideWinder domains targeting South Asian countries.\r\nThe following domains were extracted from the BlackBerry report and show remarkable similarities to those\r\nidentified during our analysis. Note the heavy usage of...\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 16 of 24\n\nHyphens in domain names\r\nRecurring themes of Government entities\r\nRecurring themes of Pakistan and Sri Lanka\r\nHeavy usage of Subdomains\r\nAlthough we have grouped this under one heading, this screenshot represents 4 unique commonalities between the\r\ndomains we identified and known activity from APT SideWinder. \r\nThe second report from Group-IB shows similar domains with remarkable similarities to those identified in our\r\nanalysis. \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 17 of 24\n\nPublic Reports of Initial Access Via Weaponized Documents\r\nBoth the Group-IB and BlackBerry reports detail SideWinder activity where initial access is achieved via\r\nweaponised documents with Government Entity themes. \r\nAdditionally, both reports detail a malicious document titled GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN\r\nNAVY WAR COLLEGE (PNWC).doc\r\nThe reports detail that this document leveraged a remote template injection vulnerability CVE-2017-0199 to\r\ndownload a remote file named file.rtf that contained obfuscated Javascript code. \r\nA visual overview of the document (Taken from BlackBerry and Group-IB) can be seen below. \r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 18 of 24\n\nThe BlackBerry article details another SideWinder document featuring Pakistan Government themes and an\r\noverall well-made and professional-looking email. \r\nWeaponized Documents In Our Newly Identified Domains\r\nReviewing one of our discovered domains paknavy-govpk[.]info on VirusTotal, we can see an associated\r\n.docx file named MoITT_federalemp[.]docx from 2024-04-29\r\nThis file, which is linked to our new domains, features the same CVE-2017-0199 exploit as detailed by\r\nBlackBerry and Group-IB\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 19 of 24\n\nBy searching the file hash 7dca552bc38f54716c80eb2c4f1f35cf6e5b12a78a5cec8bf335453c1b433cfd on Hybrid-Analysis, we noticed that the document contained Pakistan government themes and an overall similar structure to\r\nthe publicly reported documents.\r\nBelow is the document associated with our domain paknavy-govpk[.]info\r\nThe usage of Pakistan government themes, weaponized documents and the same exploit CVE-2017-0199 is a\r\nstrong indication that this activity is linked to the public SideWinder reports. \r\nModification of Weaponized Documents\r\nWe could not find any additional presence of weaponised documents leveraging CVE-2017-0199 in our remaining\r\ndomains. Although, we did observe a change to PDFs linking to password-protected .zip files. \r\nThis represented a change in specific tactics, but continuing the overall tactic of weaponized documents.\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 20 of 24\n\nThe initial domain docs.mofa-services-server[.]top is related to the following document (shared by\r\nDocGuard in their initial post), which features a password-protected .zip with a password of pmo@letter\r\nOne of our identified subdomains pmo.documents-server-pk[.]top is related to a similar PDF file linking to a\r\n.zip.\r\nBy taking the hash from VirusTotal and searching it on Hybrid-Analysis, we see a similar theme of Government\r\nentity-themed phishing with password-protected .zip files.\r\nThe end of the document featured a prompt to download a password-protected file.\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 21 of 24\n\nThe presence of password-protected .zip files (likely containing malware) instead of CVE-2017-0199\r\nrepresents both a strong link (via weaponized docs) and a slight change in SideWinder activity and techniques.\r\nThe overall tactic of weaponized documents is continued, but the specific tactic of CVE-2017-0199 has changed\r\nto a password-protected zip file.\r\nSideWinder Usage of NameSilo\r\nA subset of the older SideWinder domains shared by BlackBerry and Group-IB feature NameSilo as the domain\r\nregistrar.\r\nMany shared domains did not feature NameSilo, but this shows that SideWinder is familiar with NameSilo and\r\nuses it for a subset of their domain infrastructure.\r\nSince all of the domains we featured today utilised NameSilo, this indicates a weaker but still useful connection\r\nbetween the new domains and those already publicly attributed to SideWinder.\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 22 of 24\n\nConclusion\r\nWe have now analysed a single domain indicator with threat intelligence tooling and identified 37 new domains\r\nwith strong relations to known SideWinder activity. We analysed historical records around IP addresses, domain\r\nregistrars, registration dates, associated files, and subdomains.\r\nThe tool used in this analysis was SilentPush, If you'd like to follow along, consider signing up for the Community\r\nEdition.\r\nDomain Indicators\r\nnitb-update-services[.]top\r\nservices-pk-users[.]top\r\nmofa-services-server[.]top\r\ngoverment-pk-update[.]top\r\ndocuments-server-pk[.]top\r\nCabinet-download-server[.]top\r\namazonas-gov[.]co\r\ncnsa-gov[.]com\r\ndgps-govpk[.]co\r\ndgps-govpk[.]com\r\nep-gov-pk[.]christmas\r\nep-gov-pk[.]icu\r\ngov-govpk[.]info\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 23 of 24\n\nGovt-pk[.]com\r\njustice-gov[.]info\r\nmohre-gov[.]info\r\nmoma-gov-pk[.]org\r\nmy-gov-confirm[.]org\r\nncsc-gov[.]com\r\npaknavy-govpk[.]info\r\nUpdate-govpk[.]co\r\npaknavy-govpk[.]com\r\nctd[.]govt-pk[.]com\r\ndocs[.]mofa-services-server[.]top\r\necp[.]govt-pk[.]com\r\nembajadadenepal[.]es[.]govt-pk[.]com\r\ninvestinnepal[.]gov[.]np[.]govt-pk[.]com\r\nlgcd[.]punjab[.]gov[.]pk[.]govt-pk[.]com\r\nmindef[.]gov[.]pk[.]govt-pk[.]com\r\nmod[.]gov[.]bd[.]govt-pk[.]com\r\nmod[.]gov[.]np[.]govt-pk[.]com\r\nmofa[.]gov[.]bd[.]govt-pk[.]com\r\nmofa[.]gov[.]np[.]govt-pk[.]com\r\npmo[.]documents-server-pk[.]top\r\nprisons[.]punjab[.]govt-pk[.]com\r\npubad[.]gov[.]lk[.]govt-pk[.]com\r\nsparrso[.]gov[.]bd[.]govt-pk[.]com\r\nmail-govpk[.]com\r\nnadra-govpk[.]com\r\npta-govpk[.]com\r\nnewmofa[.]org\r\nupdate-govpk[.]co\r\nmod-gov-pk[.]live\r\npakistan-mofa[.]cloud\r\ns3-network-pakistan[.]online\r\nSource: https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nhttps://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.embeeresearch.io/advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains/" ], "report_names": [ "advanced-guide-to-infrastructure-analysis-tracking-apt-sidewinder-domains" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434438, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e5f6913d6d733eaadbca5616815ec02ae2b3883.pdf", "text": "https://archive.orkl.eu/2e5f6913d6d733eaadbca5616815ec02ae2b3883.txt", "img": "https://archive.orkl.eu/2e5f6913d6d733eaadbca5616815ec02ae2b3883.jpg" } }