Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 19:23:30 UTC
 APT group: WindShift
Names
WindShift (DarkMatter)
Windy Phoenix (Palo Alto)
G0112 (MITRE)
Country [Unknown]
Motivation Information theft and espionage
First seen 2018
Description
(Palo Alto) In August of 2018, DarkMatter released a report entitled “In the Trails of
WindShift APT”, which unveiled a threat actor with TTPs very similar to those of
Bahamut. Subsequently, two additional articles were released by Objective-See which
provide an analysis of some validated WindShift samples targeting OSX systems.
Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to
identify and correlate additional attacker activity and can now provide specific details on
a targeted WindShift attack as it unfolded at a Middle Eastern government agency.
Observed
Sectors: Government.
Countries: Middle East.
Tools used WindTail.
Information
MITRE ATT&CK Playbook Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78
Page 2 of 2