{ "id": "7531ac77-5f11-4831-be36-3158ba575281", "created_at": "2026-04-06T02:11:23.5286Z", "updated_at": "2026-04-10T03:37:20.279716Z", "deleted_at": null, "sha1_hash": "59ef2cc33a40fc9bb40d99da43f637ef8f3c8ef6", "title": "Sidewinder APT Group Campaign Analysis - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81962, "plain_text": "Sidewinder APT Group Campaign Analysis - Rewterz\r\nPublished: 2020-04-20 · Archived: 2026-04-06 01:59:28 UTC\r\nSummary\r\n1. Hardcore Nationalist (HN2) aka Sidewinder APT Group, which has been working in the interest of Indian\r\nGovernment, has been observed targeting Pakistani Government Officials through its latest campaign with\r\na decoy document related to COVID-19.\r\n2. Analysis shows that the document was named as Additional_CSD_Rebate.pdf which is an on-demand\r\nmachine generated document. It contains content to entice the attacker into stealing bogus information. It is\r\nreceived by the end user as an official notification mentioning the discounts for Pakistani Officials\r\n(Pakistan Army). When a user clicks on the document it redirects to another malicious website\r\n(http[:]//nrots[.]net/rdg[.]html) to download another PDF document (shown below) and a compiled file\r\n‘.hta’ (An HTML executable file run by Microsoft Windows native utility ‘mshta.exe’) created by attacker\r\nfor execution in Windows operating system using web technologies as a background job.\r\n3. After reviewing static code of .hta files, following activities have been observed and deobfuscated\r\nThe .hta file contains 5 main functions that perform following operations:\r\n1. The first three of them were purely used for de-obfuscation of the entire code.\r\n2. The fourth function was used to de-serialize the payload in order to execute and make a\r\nconnection to its CnC server.\r\n3. The fifth function was used to check the existence of specific compatibility and binaries with\r\nspecific version in the environment which includes specifically (.Net framework version,\r\ncsc.exe etc.) \r\n4. It was also observed that the attacker used a custom obfuscation technique in which he performed ‘left\r\nshift’ and ‘OR’ bit wise operator technique to avoid detection.\r\n5. After executing this piece of malware in sandbox, it is identified as generic trojan and seems that the\r\nattacker used a native utility ‘rekeywiz.exe’ to encrypt its piece of code into the system.\r\n6. It was also observed that attackers used persistence techniques and added rekeywiz.exe in the registry to\r\nexecute its code whenever it received instruction from CnC server.\r\n7. It was also observed that the attacker used two CnC servers to perform further actions which are no longer\r\navailable and have been taken down.\r\nhttps://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis\r\nPage 1 of 5\n\nDuring analysis and reviewing of code, it was concluded that the code for this malware was copied from open\r\nsource platform, GitHub, and can be downloaded from\r\n(https://gist[.]github[.]com/NickTyrer/0604bb9d7bcfef9e0cf82c28a7b76f0f/). However,  three main functions were\r\ncreated manually by the attacker to deobfuscate the strings of a code.\r\nCharacteristics\r\nIt was identified that attacker used multiple obfuscation techniques, which are techniques used by attackers\r\nto hide the attack, to avoid detection and give tough challenge to decode the key string and actual payload\r\nand command instruction. The script achieved the obfuscation by using the bit wise operation techniques\r\nlike “Left Shift”, “OR”, “StringASCII” and performed power operation using the key to make every single\r\nstring of a script more complicated and hard to deobfuscate.\r\nStatic code revealed that malware tries to communicate with its command and control (CnC) server\r\n(obfuscated code shown below in URL variable) by resolving it into a URL, it is also defined in the\r\nJavaScript malicious code.\r\nAfter decobfuscation of above URL variable with the help of key generated from first three functions, we have got\r\nthe following artifacts shown below.\r\nhttp://www[.]d01fa[.]net/plugins/16364/11542/true/true/\r\nhttp://www[.]d01fa.net/cgi/8ee4d36866/16364/11542/58a3a04b/file.hta\r\nPak_Army_Deployed_in_Country_in_Fight_Against_Coronavirus.pdf\r\nNote: These links are currently down and used for malicious purposes\r\nThese websites are still live but the actual payload has been removed.\r\nIt contains the malicious payload in itself which is encoded into the Base64 format.\r\nAfter decoding the Base64 data into the executable payload in which it executes the mshta.exe process, received\r\nthe following payload instructions.\r\nIt resolves the file in the browser and PDF viewer as well. On the victim’s screen it displays as shown\r\nbelow, but on the other hand it executes the malicious payload / code simultaneously in background\r\n(detailed behavior shown below) as well and establishes a communication channel with its CnC server and\r\nupload system information.\r\nhttps://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis\r\nPage 2 of 5\n\nCurrently both sites hosted on these IP (mentioned above) has been down and no more available.\r\nDependencies\r\nFollowing are the dependencies of the malware.\r\nIt checks if the “\\Mircrosoft.NET\\Framework\\”  version 2 and above installed and exists so return the\r\navailable version.\r\nAfter deobfuscation, the result is given below:\r\nIt checks if the “csc.exe” exists or not.\r\nAfter deobfuscation, the result is given below:\r\nIt also uses “ActiveXObject” utility to help in its execution through Microsoft products and internet\r\nbrowsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet\r\nExplorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office\r\nExcel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them.\r\nBehavioural Findings Through Static Code Analysis\r\nBy taking an overview on the obfuscated code statically, several findings came out to be highlighted below:\r\nFirst it executes sNhGuFF (key, bytes) function and call the jtgj(str) function into the second parameter\r\nof sNhGuFF (key, bytes) function to initialize the value of variable keeee, that is used to decrypt the strings\r\nof contained by the script.\r\nhttps://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis\r\nPage 3 of 5\n\njtgj(str) function takes the input of a string and convert the strings into the ASCII character. Then performs\r\nthe bit wise operations Left shift and OR then return the value into the bytes format that is passed into the\r\nsecond parameter of sNhGuFF (key, bytes) function. \r\nsNhGuFF (key, bytes) function takes the input of key and bytes, in the key parameter it passes the value of\r\nvariable keeee and in the bytes parameter passes the returned value of jtgj(str) function. \r\nJBymWinJ(bsix) function takes the encoded value from the script, then returns the decoded value by using\r\nthe functions jtgj(str), sNhGuFF (key, bytes) and variable keeee. \r\nIt then initializes the serialized data in the variable da that is used at the end of the script. \r\nThen checks “\\Microsoft.NET\\Framework\\” directory that if default utility of Windows “csc.exe” exists or\r\nnot and its version. \r\nThen it executes the process “WScript.Shell” that is used to access of OS shell methods with the specific\r\nversion of utility “Microsoft.NET”. As shown below in the figure, it creates the object of WScript.Shell and\r\ndefine the environment variables by executing\r\nline “shells.Environment(JBymWinJ (“YUt”+”bUl”+”NCQ”+”Q==”))\r\n(JBymWinJ (“cnZ5YXp”+”kYW9nUU”+”NKXV5Y”)) = ver;;”  which\r\nmeans “shell.Environment(‘Process’)(‘COMPLUS_Version’) = ver;.”\r\nIt uses the Windows service “winmgmts:\\\\.\\root\\SecurityCenter2 ” to check all AntiVirus products installed\r\non the operating system. As shown below in the figure, it is done by creating the object the service “\r\nwinmgmts:\\\\.\\root\\SecurityCenter2 ” and executes the query “ Select * From AntiVirusProduct ” by using\r\nthe same object that is created of a mentioned service.\r\nAfter opening the PDF viewer of .hta file, the major objective is defined in the code that .hta file is trying\r\nto communicate to a URL “ hxxp[:]//www[.]d01fa[.]net ” for the malicious purpose.\r\nIt is also observed that after the decoding the name defined in the function shown in the below figure, it comes out\r\nto be  “Pak_Army_Deployed_in_Country_in_Fight_Against_Coronavirus ”.\r\nConclusion\r\nhttps://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis\r\nPage 4 of 5\n\nIncase an alert is triggered in environment related to the execution of these .hta files, following should be\r\nmonitored:\r\nProcesses associated with .hta file\r\nHTTP requests initiated by associated process\r\nDNS calls and resolutions initiated by associated processes\r\nAssociated Processes\r\nCheck if following processes are created within the short time period and correlate them with the same GUID:\r\n1.    mshta.exe\r\n2.    AcroRd32.exe\r\n3.    RdrCEF.exe\r\n4.    Reader_sL.exe\r\n5.    Any other office related programs\r\nHTTP Requests\r\nMonitor HTTP requests generated by these programs:\r\n1. URLs having any suspicious or known file extensions. In this case, following URL call is observed and\r\nshould be immediately blocked: \r\nhttp[:]//www[.]d01fa[.]net/cgi/8ee4d36866/16364/11542/58a3a04b/file[.]hta\r\nhttp[:]//nrots[.]net/rdg[.]html\r\n2. Observe if the high number of bytes are transferred in the Request/Response to or from the mentioned\r\nURL.\r\nBe aware of social engineering techniques employed by cyber criminals—including strategies to identify phishing\r\nemails, impersonated calls, and fraudulent businesses and domains—and how to respond to a suspected\r\ncompromise.\r\nThe above static analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case,\r\nyou have any malware samples, binaries, that need to be analyzed, Rewterz is here to help.\r\nUpdate June 22, 2020 : SideWinder continues targeting Pakistani organizations\r\nFor latest malware reports and APT group analyses, visit our Threat Intelligence blog.\r\nSource: https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis\r\nhttps://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" ], "report_names": [ "sidewinder-apt-group-campaign-analysis" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441483, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59ef2cc33a40fc9bb40d99da43f637ef8f3c8ef6.pdf", "text": "https://archive.orkl.eu/59ef2cc33a40fc9bb40d99da43f637ef8f3c8ef6.txt", "img": "https://archive.orkl.eu/59ef2cc33a40fc9bb40d99da43f637ef8f3c8ef6.jpg" } }