{ "id": "764389ec-3778-4903-96db-6d39f3c3c9cd", "created_at": "2026-04-06T00:19:07.656504Z", "updated_at": "2026-04-10T03:37:20.239269Z", "deleted_at": null, "sha1_hash": "4a4377490bee85f4dca76c6bd53294fcde43e3e9", "title": "SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75461, "plain_text": "SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks\r\nPublished: 2020-12-09 · Archived: 2026-04-05 18:52:23 UTC\r\nAll of these cases end up with either the downloading or dropping of files and then the execution of JavaScript code, which\r\nis a dropper used to install the main backdoor + stealer.\r\nThe downloaded RTF files exploit the CVE-2017-11882open on a new tab vulnerability. It drops a file named 1.a (a\r\nJavaScript code), which drops the backdoor + stealer into a folder in ProgramData and directly executes it or creates a\r\nscheduled task to execute the dropped files at a later time.\r\nThe content of the newly created folder contains a few files, including Rekeywiz (EFS REKEY wizard,\r\nFA86B5BC5343CA92C235304B8DCBCF4188C6BE7D4621C625564BEBD5326ED850), which is a legitimate Windows\r\napplication. \r\nThis application loads various system DLL libraries, including shell32.dll, which sideloads DUser.dll, one of shell32’s\r\nDelayImports. \r\nHowever, a fake DUser.dll gets loaded into the process. This fake DLL library decrypts the main backdoor + stealer from\r\nthe .tmp file in the same directory.\r\nThe decryption process is a simple XOR, where the key is the first 32 bytes from the encrypted file and the payload are the\r\nremaining bytes. The decrypted payload is the main backdoor .NET executable binary.\r\nIn Resources, the Default resource contains the encrypted configuration. After decryption (using the same principle as with\r\nthe main backdoor + stealer), the configuration reveals which file formats the attackers are targeting.\r\nThe main functions of the backdoor + stealer are:\r\n1) Downloading the .NET executable and running it\r\n2) Collecting system information and uploading it to the command-and-control (C\u0026C) server\r\n3) Uploading selected files to the C\u0026C server\r\nThe collected information is in JSON format (hence why the Newtonsoft_Json library stored in Resources is loaded) and\r\nincludes information such as privileges, user accounts, computer system information, antivirus programs, running processes,\r\nprocessor information, operating system information, timezone, installed Windows updates, network information, list of\r\ndirectories in Users\\%USERNAME%\\Desktop, Users\\%USERNAME%\\Downloads, Users\\%USERNAME%\\Documents,\r\nUsers\\%USERNAME%\\Contacts, as well as information on all drives and installed apps.\r\nThe spear-phishing attack\r\nWe found several interesting dynamic DNS domains resolving to a server that was used to deliver SideWinder’s malicious\r\ndocuments. The subdomains of these dynamic DNS domains are designed to be similar to the domains of their victims’ mail\r\nservers. For example, “mail-nepalgovnp[.]duckdns[.]org” was created to pretend to be the original Nepal government’s\r\ndomain “mail[.]nepal[.]gov[.]np”.  Digging deeper, we found that it hosted several phishing pages.\r\nThese pages were copied from the webmail servers of various targets and then modified for spear-phishing attacks designed\r\nto steal login credentials. Although it’s not clear to us how these phishing pages are delivered to the victims, finding the\r\noriginal webmail servers that they copied to make these phishing pages allows us to identify who they were targeting.\r\nAnalysis of the phishing pages revealed that most of them would redirect to the original webmail servers, which they copied\r\nafter the victims sent out their login credentials. However, we also found some of them will either redirect to documents or\r\nnews pages. These documents and news are probably interesting in some way to their targets and are used to make them\r\nclick and log in to the phishing pages. While several of the documents are related to Covid-19, we also found some\r\ndocuments or news related to territorial issues in South Asia, including:\r\n“India Should Realise China Has Nothing to Do With Nepal’s Stand on Lipulekh” – a news article that discusses\r\nIndia-China conflictsopen on a new tab in May.\r\n“India reaction after new pak map.pdf” – a document talking about India’s responseopen on a new tab to the new\r\npolitical map revealed by Pakistan in August.\r\n“Ambassador Yanchi Conversation with Nepali_Media.pdf” – a document describing an interview with China's\r\nambassador to Nepal regarding Covid-19, the Belt and Road Initiative, and territorial issuesopen on a new tab in the\r\nHumla district.\r\nThe following table shows their targets, related phishing domains, and lure documents used in each of the phishing attacks.\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 1 of 8\n\nDate Phishing Domain\r\nTargeted\r\nOrganization\r\nTargeted Mail server Redirection after login\r\n2019\r\nNov\r\nGovernment of\r\nNepal\r\nmail.nepal.gov.np Redirect to file “IMG_0002.pdf”\r\n2019\r\nNov\r\nMinistry of\r\nDefence, Nepal\r\nmail.mod.gov.np Redirect to original mail server\r\n2019\r\nDec\r\nmail-mofagovnp.zapto[.]org\r\nMinistry of Foreign\r\nAffairs, Nepal\r\nmail.mofa.gov.np\r\nRedirect to web news “China,\r\nNepal sign trade, infrastructure\r\nand security deals”\r\n2019\r\nDec\r\nGovernment of\r\nNepal\r\nmail.nepal.gov.np\r\nRedirect to file\r\n“consultation_1523857630.pdf”\r\n2020\r\nJan\r\nimail.aop.gov-af[.]org\r\nAdministrative\r\nOffice of the\r\nPresident,\r\nAfghanistan\r\nimail.aop.gov.af\r\nRedirect to web page\r\n“Observation Of Technology\r\nUse in Afghanistan Government\r\nSector”\r\n2020\r\nJan\r\nmail-nscaf.myftp[.]org\r\nAfghanistan\r\nNational Security\r\nCouncil\r\nmail.nsc.gov.af\r\nRedirect to\r\nhttps://wikipedia.org/USB_Killer\r\n2020\r\nJan\r\nmail-nepalarmymilnp.duckdns[.]org\r\nNepali Army mail.nepalarmy.mil.np\r\nRedirect to PDF “EN Digital\r\nNepal Framework V8.4 15 July\r\n2019.pdf”\r\n2020\r\nJan\r\nmail-mofagovnp.hopto[.]org\r\nMinistry of Foreign\r\nAffairs, Nepal\r\nmail.mofa.gov.np\r\nRedirect to PDF “national-security-vol-3-issue-1-essay-SSimkhada.pdf”\r\n2020\r\nJan\r\nwebmail.mohe.gov-af[.]org\r\nMinistry of Higher\r\nEducation,\r\nAfghanistan\r\nwebmail.mohe.gov.af Redirect to original mail server\r\n2020\r\nFeb\r\nMinistry of Defense,\r\nSri Lanka\r\nmail.defence.lk Login Error\r\n2020\r\nFeb\r\nmail.moha.gov-np[.]org\r\nMinistry of Home\r\nAffairs, Nepal\r\nmail.moha.gov.np Redirect to original mail server\r\n2020\r\nFeb\r\nmail.nsc.gov-af[.]org\r\nAfghanistan\r\nNational Security\r\nCouncil\r\nmail.nsc.gov.af Redirect to original mail server\r\n2020\r\nFeb\r\nmail.arg.gov-af[.]org\r\nPresidential Palace,\r\nAfghanistan\r\nmail.arg.gov.af Redirect to original mail server\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 2 of 8\n\n2020\r\nFeb\r\nmail.arg.gov-af[.]org\r\nPresidential Palace,\r\nAfghanistan\r\nmail.arg.gov.af Redirect to original mail server\r\n2020\r\nFeb\r\nCenter for\r\nEducation and\r\nHuman Resource\r\nDevelopment, Nepal\r\nmail.doe.gov.np\r\nRedirect to file “Para Basic\r\nCourse Joining Instruction.docx”\r\n2020\r\nMar\r\nmail-nepalgovnp.duckdns[.]org\r\nGovernment of\r\nNepal\r\nmail.nepal.gov.np Redirect to original mail server\r\n2020\r\nMar\r\nNepal Electricity\r\nAuthority\r\nmail.nea.org.np Redirect to original mail server\r\n2020\r\nMar\r\nmail-nepalgovnp.duckdns[.]org\r\nGovernment of\r\nNepal\r\nmail.nepal.gov.np\r\nRedirect to file “central data\r\nform.pdf”\r\n2020\r\nMar\r\nmail-nepalarmymilnp.duckdns[.]org\r\nNepali Army mail.nepalarmy.mil.np\r\nRedirect to file “Corona Virus\r\nPreparedness and Response.pdf”\r\n2020\r\nMar\r\nmail-nepalpolicegov.hopto[.]org Nepal Police mail.nepalpolice.gov.np\r\nRedirect to file “1987\r\nConducting training on COVID-19 and keeping it in\r\nreadiness.pdf”\r\n2020\r\nApr\r\nmail-nrborg.hopto[.]org Nepal Rastra Bank mail.nrb.gov.np Redirect to file ”fiu.pdf”\r\n2020\r\nMay\r\nmail-nepalarmymilnp.duckdns[.]org\r\nNepali Army mail.nepalarmy.mil.np\r\nRedirect to web news “India\r\nShould Realise China Has\r\nNothing to Do With Nepal’s\r\nStand on Lipulekh”\r\n2020\r\nJun\r\nmail-nepalarmymilnp.duckdns[.]org\r\nNepali Army mail.nepalarmy.mil.np Showing login failed message\r\n2020\r\nJul\r\nQatar Charity mail.qcharity.org Redirect to original mail server\r\n2020\r\nJul\r\nMyanma Posts and\r\nTelecommunications\r\nwebmail.mpt.net.mm Redirect to original mail server\r\n2020\r\nAug\r\nmail-ncporgnp.hopto[.]org\r\nNepal Communist\r\nParty\r\nmail.ncp.org.np\r\nRedirect to file “India reaction\r\nafter new pak map.pdf”\r\n2020\r\nAug\r\nmail-nscaf.myftp[.]org\r\nAfghanistan\r\nNational Security\r\nCouncil\r\nmail.nsc.gov.af\r\nRedirect to\r\n10[.]77[.]17[.]10/Software/03-\r\nApplications\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 3 of 8\n\n2020\r\nSep\r\nmail-mofgovnp.hopto[.]org\r\n                            \r\nMinistry of Finance,\r\nNepal\r\nmail.mof.gov.np\r\nRedirect to file “1987\r\nCovid.pdf”\r\n2020\r\nSep\r\nmail-ncporgnp.hopto[.]org\r\nNepal Communist\r\nParty\r\nmail.ncp.org.np\r\nRedirect to document “The\r\nspectre of a new Maoist conflict\r\nin Nepal”\r\n2020\r\nSep\r\nimail.aop.gov-af[.]org\r\nAdministrative\r\nOffice of the\r\nPresident,\r\nAfghanistan\r\nimail.aop.gov.af\r\nRedirect to file “SOP of Military\r\nUniform .pdf”\r\n2020\r\nOct\r\nmail-nepalpolicegovnp.duckdns[.]org\r\nNepal Police mail.nepalpolice.gov.np\r\nRedirect to file “2077-07-03\r\n1239 Regarding investigation\r\nand action.pdf”\r\n2020\r\nOct\r\nCivil Aviation\r\nAuthority of Nepal\r\nmail.caanepal.gov.np Redirect to original mail server\r\n2020\r\nOct\r\nmail-apfgovnp.ddns[.]net\r\nmail-apfgavnp.hopto[.]org\r\nArmed Police Force,\r\nNepal\r\nmail.apf.gov.np Redirect to original mail server\r\n2020\r\nOct\r\nmail-nscaf.myftp[.]org\r\nAfghanistan\r\nNational Security\r\nCouncil\r\nmail.nsc.gov.af\r\nRedirect to file “IT Services\r\nRequest Form.pdf”\r\n2020\r\nNov\r\nmail-ntcnetnp.serveftp[.]com Nepal Telecom webmail.ntc.net.np Redirect to original mail server\r\n2020\r\nNov\r\nmail-kmgcom.ddns[.]net\r\nKantipur Media\r\nGroup\r\nmail.kmg.com.np Redirect to original mail server\r\n2020\r\nNov\r\nFederal Parliament\r\nof Nepal\r\nmail.parliament.gov.np Redirect to original mail server\r\n2020\r\nNov\r\nPublic Procurement\r\nMonitoring Office,\r\nNepal\r\nmail.ppmo.gov.np Redirect to original mail server\r\n2020\r\nNov\r\nmail-mfagovcn.hopto[.]org\r\nMinistry of Foreign\r\nAffairs, China\r\nmail.mfa.gov.cn\r\nRedirect to file “Ambassador\r\nYanchi Conversation with\r\nNepali_Media.pdf”\r\nAndroid applications\r\nWe also identified multiple Android APK files on their server. Interestingly, these Android applications still seem to be under\r\nthe initial development phase as they are basic, still use the default Android icons, and have no practical function for users.\r\nWe noticed two applications among them, named “My First APP” and “Opinion Poll,” that seemingly have no malicious\r\nbehavior. My First APP demonstrates login \u0026 register processes, while Opinion Poll acts as an opinion polling application\r\nfor the Indian-Nepalese political map dispute. The first application is likely an Android demo application for beginners,\r\nwhile the second one starts with an explanation of “Opinion Writing,” followed by a survey.\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 4 of 8\n\nAnother two applications were built from JavaPayload for Metasploitopen on a new tab that will load extra code from the\r\nremote server configured in the sample. While we were unable to retrieve the payload, according to the Manifest that\r\nrequests numerous privacy-related permissions like location, contacts, call logs, etc., we can infer that it goes after the user’s\r\nprivate data. These two samples appear to be debug versions as they have no activities or any other component except\r\nMetasploit.\r\nWe also identified a malicious version of the My First APP application that added Metasploit whose class names have been\r\nobfuscated.\r\nSideWinder has used malicious apps as part of its operation before. In the campaign referenced earlier, the group used\r\nmalicious APKs disguised as photography and file manager tools to lure users into downloading them. Once downloaded\r\ninto the user’s mobile device, the malicious APKs launch a series of fairly sophisticated procedures that includes rooting the\r\ndevice to stealthily deploy the payload, as well as exploiting CVE-2019-2215 and MediaTek-SU vulnerabilities for root\r\nprivileges. The payload’s ultimate goal is to gather information from the compromised device and then send it back to its\r\nC\u0026C server.\r\nIn the case of these newer APKs, it seems that the goal is to gather user information as well. Unlike the earlier apps, which\r\nwere already on the Google Play Store, all the APK files found on their server are not mature enough for a deliberate attack.\r\nIn our opinion, these are still in the initial stage, and the payloads (directed at mobile users) are still being refined further.\r\nConclusion\r\nAs seen with their phishing attacks and their mobile device tools’ continuous development, SideWinder is very proactive in\r\nusing trending topics like Covid-19 or various political issues as a social engineering technique to compromise their targets.\r\nTherefore, we recommend that users and organizations be vigilant and follow social engineering best practicesnews-cybercrime-and-digital-threats to protect themselves from these kinds of campaigns.\r\nIndicator of Compromise\r\nAndroid Part IoCs\r\nIndicator Package name Label C2 server\r\n0c182b51ff1dffaa384651e478155632c6e65820322774e416be20e6d49bb8f9 com.example.firstandoidapp My First\r\nApp\r\n-\r\n061b0379a12b88488db8540226e400e3f65fef9a4c1aa7744da9f17e1d93d78d com.example.opinionpoll OpinionPoll -\r\nfb6ac9d93fd47db3d32f6da6320344a125e96754a94babb9d9d12b6604a42536 com.metasploit.stage MainActivity https://185.225.19[.]4\r\n468b74883536938ef3962655dfcc3ca4097ca9b5b687dfc1fef58d50e96dc248 com.metasploit.stage MainActivity tcp://185.225.19.46[:]\r\na377e5f4bf461b86f938959256b7ab8b1b40bb9fd3cd45951c736a22366a8dd1 com.example.firstandoidapp My First\r\nApp\r\ntcp://185.225.19.46[:]\r\nMalicious documents and related payloads IoCs\r\nIndicator Description Detection\r\n1CBEC920AFE2F978B8F84E0A4E6B757D400AEB96E8C0A221130060B196ECE010 docx Trojan.W97M.CVE20170199.FAIL\r\n7238F4E5EDBE0E5A2242D8780FB58C47E7D32BF2C4F860C88C511C30675D0857 RTF file Trojan.W97M.SIDEWINDER.A\r\n75C158CEA14E338C8D9D32ED988C7032DA9AE6D54F5B1126ED6A83F71B9E03BF 1.a JS file Trojan.JS.SIDEWINDER.A\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 5 of 8\n\nAB6E8563214EEB747ABF77F9CC50796CC6A0C0562C6BEC720D7F2C978D34C412\r\nFake\r\nDUser.dll\r\nTrojan.MSIL.SIDEWINDER.A\r\nCBD5C68F5C4345B68F018D9E5810574E8036A2BC4D826BE5C8779E8019449957\r\nFinal\r\npayload\r\nTrojan.Win32.SIDEWINDER.B\r\n34446F7F60F730FCCA145155D10D1AFF0A1153B085836DF38313772CD03C8D70 RTF file Trojan.W97M.CVE201711882.YQUOO\r\n7238F4E5EDBE0E5A2242D8780FB58C47E7D32BF2C4F860C88C511C30675D0857 RTF file Trojan.W97M.SIDEWINDER.A\r\nAB7C1967BF1FEFDFFDE93626B78EB30994655AB02F59E0ADB0935E3E599A953F RTF file Trojan.W97M.SIDEWINDER.A\r\n2548A819E4C597BA5958D2D18BAA544452948E5B00271570192CCD79ABE88E8D 1.a JS file Trojan.JS.SIDEWINDER.A\r\nED5E1D6E914DE64A203F2F32AB95176FC7EFFF3A520915971D5FE748E79D611C 1.a JS file Trojan.JS.SIDEWINDER.A\r\n96BF8F579ACB8D9D0FF116D05FDADEF85953F11E5B2E703041FDAE0ABF5B75DC 1.a JS file Trojan.JS.SIDEWINDER.A\r\n940265867D5668956D64ADF9FC4B9C6CF9E7FCFCF5C21BA7BF0BEA77B5EDD047\r\nFake\r\nDUser.dll\r\nTrojan.MSIL.SIDEWINDER.A\r\nB22946CFEFE8646CB034F358C68CAAE5F30C1CF316CFFEAF77021C099E362C64\r\nFake\r\nDUser.dll\r\nTrojan.MSIL.SIDEWINDER.A\r\n89E392FA49C6A6AEB9056E3D2F38B07D0DD7AF230CD22E3B01C71F05A3AECA0B\r\nFake\r\nDUser.dll\r\nTrojan.MSIL.SIDEWINDER.A\r\nEB2D82DD0799196FCF631E15305676D737DC6E40FF588DCF123EDACD023F1C46\r\nFinal\r\npayload\r\nTrojan.Win32.SIDEWINDER.B\r\n7ECAEFCB46CDDEF1AE201B1042A62DD093594C179A6913A2DE47AB98148545DD\r\nFinal\r\npayload\r\nTrojan.Win32.SIDEWINDER.B\r\n799260B992C77E2E14F2D586665C570142D8425864455CAB5F2575015CD0B87A\r\nFinal\r\npayload\r\nTrojan.Win32.SIDEWINDER.B \r\nbrep.cdn-edu[.]net\r\nRTF\r\ndelivery\r\nserver\r\nwww.mfa.filesrvr[.]net\r\nRTF\r\ndelivery\r\nserver\r\nwww.google.gov-pok[.]net\r\nRTF\r\ndelivery\r\nserver\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 6 of 8\n\nap-ms[.]net C\u0026C\r\ncdn-sop[.]net C\u0026C\r\nfqn-cloud[.]net C\u0026C\r\nms-trace[.]net C\u0026C\r\nimail.aop.gov-af[.]org\r\nPhishing\r\nDomain\r\nmail-apfgavnp.hopto[.]org\r\nPhishing\r\nDomain\r\nmail-apfgovnp.ddns[.]net\r\nPhishing\r\nDomain\r\nmail-kmgcom.ddns[.]net\r\nPhishing\r\nDomain\r\nmail-mfagovcn.hopto[.]org\r\nPhishing\r\nDomain\r\nmail-mofagovnp.hopto[.]org\r\nPhishing\r\nDomain\r\nmail-ncporgnp.hopto[.]org\r\nPhishing\r\nDomain\r\nmail-nepalarmymilnp.duckdns[.]org\r\nPhishing\r\nDomain\r\nmail-nepalgovnp.duckdns[.]org\r\nPhishing\r\nDomain\r\nmail-nepalpolicegov.hopto[.]org\r\nPhishing\r\nDomain\r\nmail-nepalpolicegovnp.duckdns[.]org\r\nPhishing\r\nDomain\r\nmail-nrborg.hopto[.]org\r\nPhishing\r\nDomain\r\nmail-nscaf.myftp[.]org\r\nPhishing\r\nDomain\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 7 of 8\n\nmail-ntcnetnp.serveftp[.]com\r\nPhishing\r\nDomain\r\nmail.arg.gov-af[.]org\r\nPhishing\r\nDomain\r\nmail.moha.gov-np[.]org\r\nPhishing\r\nDomain\r\nmail.nsc.gov-af[.]org\r\nPhishing\r\nDomain\r\nwebmail.mohe.gov-af[.]org\r\nPhishing\r\nDomain\r\nSource: https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" ], "report_names": [ "sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434747, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a4377490bee85f4dca76c6bd53294fcde43e3e9.pdf", "text": "https://archive.orkl.eu/4a4377490bee85f4dca76c6bd53294fcde43e3e9.txt", "img": "https://archive.orkl.eu/4a4377490bee85f4dca76c6bd53294fcde43e3e9.jpg" } }