{ "id": "2c813020-de6a-4dda-8432-87e60303ee0a", "created_at": "2026-04-06T00:15:19.066286Z", "updated_at": "2026-04-10T03:37:20.251343Z", "deleted_at": null, "sha1_hash": "75c36cc5e49a2d788ec57a105cf273ef259d7e3e", "title": "Silver Fox Targeting India Using Tax Themed Phishing Lures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10259228, "plain_text": "Silver Fox Targeting India Using Tax Themed Phishing Lures\r\nBy Prajwal Awasthi\r\nPublished: 2025-12-26 · Archived: 2026-04-05 13:07:11 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic.\r\nBy clicking \"Accept All\", you consent to our use of cookies.\r\nBack\r\nCloudSEK's TRIAD reveals a critical campaign by the Chinese \"Silver Fox\" APT targeting Indian entities with\r\nauthentic-looking Income Tax phishing lures. While previously misattributed to SideWinder, this sophisticated\r\nattack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence.\r\nDiscover the full technical breakdown and why accurate attribution is essential for effective defense.\r\nDecember 24, 2025\r\nSubscribe to CloudSEK Resources\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 1 of 23\n\nGet the latest industry news, threats and resources.\r\nExecutive Summary\r\nCloudSEK’s TRIAD discovered a campaign by Silver Fox APT targeting India with Income tax themed phishing\r\nlures. The lure is visually identical to the ones discovered by other vendors, however, this campaign has not been\r\nattributed to a specific threat actor before this report.  Attribution accuracy is critical to threat intelligence; it\r\nenables defenders to predict adversary behavior and deploy targeted countermeasures. Misattribution from trusted\r\nsources propagates through threat feeds and detection systems, causing organizations to focus on the wrong threat\r\nwhile the actual adversary operates undetected. Attributing this campaign to SideWinder APT (India-aligned)\r\ncontradicts basic victimology and creates systemic confusion. Using our report aims to highlight the sophisticated\r\nkill chain by the Chinese APT group, and explains the rationale behind CloudSEK’s attribution. \r\nKill Chain\r\nInitial Access Vector \r\nMalicious email\r\nWe found an interesting email uploaded from India with just an attachment called “TOPSOE India Private\r\nLimited’. The pdf looked like an official Income Tax Department document. Upon clicking on the pdf,\r\n“ggwk[.]cc” opens up on the browser and a zip file called “tax affairs.exe” is downloaded.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 2 of 23\n\nPDF Decoy\r\nTechnical Analysis\r\nStage - 1 : Tax Affairs.zip\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 3 of 23\n\nDetect It Easy\r\nUsing static analysis we see that the given PE file is a 32 bit GUI binary. More importantly, the file is identified as\r\na Nullsoft Scriptable Install system (NSIS) installer. NSIS installers embed their installation script, compressed\r\npayloads etc inside the binary itself and we can move ahead to analyse it as an installer driven staging payload.\r\nNSIS Installer\r\nThe NSIS installer begins by resolving a writable temporary directory using GetTempPathA.\r\nIf the operation fails, it falls back to C:\\Windows\\Temp, ensuring execution reliability. Once a valid location is\r\nidentified, the installer creates an NSIS specific working directory (~nsu.tmp) and switches the directory to it.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 4 of 23\n\nDropped Files\r\nUpon analysis we found that only 2 files are of use to us, Thunder.exe and libexpat.dll. Thunder.exe is a\r\nlegitimate, digitally signed executable developed by Xunlei (迅雷), commonly distributed as part of the Thunder\r\ndownload manager ecosystem. In this infection chain, the binary itself is not malicious but is abused as a DLL\r\nhijacking host.When executed from installer’s temporary directory, Thunder.exe loads libexpat.dll from its local\r\npath due to default DLL search order. We can confirm this in x64dbg.\r\nDLL Loading\r\nStage - 2 : libexpat.dll\r\nThe dropped libexpat.dll does not export any meaningful functions and is never explicitly invoked by\r\nThunder.exe.The dll relies on the windows loader functionality and calls the DLLMain. This callback is invoked\r\nunconditionally, regardless of whether the DLL exports any functions or is actively used by the host process.\r\nLet’s take a look at the working of the DLL.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 5 of 23\n\nAnti-Debug Techniques\r\nThe Main function begins by many anti debugging and sandbox techniques.The DLL performs process\r\nenumeration and scans the process list for common analysis and sandbox tools. Also the DLL queries for the\r\nsystem resources checking if minimum requirements are satisfied or not. In addition to that, if it detects any\r\nsandbox environment, it terminates the malware.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 6 of 23\n\nPayload Decryption\r\nOnce the DLL completes its anti analysis checks, it enters the core execution logic. It first disables the Windows\r\nUpdate service(wuauserv) then loads an encrypted payload from the disk. The payload is dynamically resolved\r\nand loads the box.ini file from the temporary directory. The file is fully read into memory, decrypted using\r\nembedded cryptographic constants and later on executed as shellcode.\r\nBox.ini\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 7 of 23\n\nProcess Injection\r\nThe shellcode is executed using a classic technique called Process Injection.The routine begins by verifying the\r\npresence of explorer.exe, which is later used as the target process. The binary is launched in suspended state and\r\nthe malware retrieves the initial thread context. Further it allocates executable memory inside the remote process\r\nvia VirtualAllocEx and writes the payload via WriteProcessMemory.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 8 of 23\n\nThe LogStatus function implements an internal logging mechanism used throughout the DLL to record execution\r\nprogress and error states. The function formats a timestamped log message, appends it to a local file (C:\\data.db),\r\nand applies a lightweight custom obfuscation before writing it to disk.\r\nStage - 3 : DonutLoader \r\nEncrypted Payload in memory\r\nThe injected payload can be dumped by attaching a debugger to the hollowed explorer.exe process and monitoring\r\nthe memory region allocated via VirtualAllocEx. Once the payload is written using WriteProcessMemory and\r\nexecution is redirected, the allocated region can be dumped directly from memory, yielding the next stage payload\r\nfor analysis.\r\nDecrypted Payload\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 9 of 23\n\nLooking through the decrypted payload we find that the final payload is a Donut generated shellcode. In this\r\nsetup, Donut is used to wrap a managed payload into raw shellcode, allowing it to be executed entirely from\r\nmemory without touching disk.\r\nDonutLoader\r\nWe can dump the Donut payload by using tools like undonut or donut-decryptor .\r\nStage - 4 : Valley RAT\r\nAfter the Donut loader successfully injects the final payload into the hollowed explorer.exe process, Valley RAT\r\ninitializes its sophisticated configuration management subsystem. It starts off by setting anti analysis procedures\r\nand then invokes a function sub_405E40() to initialize it’s configuration and later create a thread for C2\r\ncommunication.\r\nC2 Configuration\r\nThe function implements a two stage loading mechanism. It extracts 22 distinct configuration parameters through\r\na parsing function.\r\nStage 1 \r\nCommand \u0026 Control Infrastructure (9 parameters):\r\np1:, p2:, p3: - Three-tier C2 server addresses (correlates with b[.]yuxuanow[.]top identified in network\r\nanalysis)\r\no1:, o2:, o3: - Corresponding port numbers for each C2 tier\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 10 of 23\n\nt1:, t2:, t3: - Connection type flags (1 = HTTP/HTTPS, 0 = raw TCP socket)\r\nOperational Parameters (5 parameters):\r\ndd: - Initial sleep delay (seconds) before first C2 contact \r\ncl: - Callback interval (seconds) between beaconing attempts\r\nbb: - Build/bot version identifier (observed: 1.0)\r\nbz: - Backup C2 address \r\nfz: - Unknown parameter\r\nFeature Flags (8 boolean parameters):\r\nkl: - Keylogger (1 = enabled, 0 = disabled)\r\nsh: - Remote shell access (1 = enabled, 0 = disabled)\r\nbd: - Full backdoor mode (1 = enabled, 0 = disabled)\r\ndl: - Download/file transfer capability\r\njp:, sx:, bh:, ll: - Additional feature toggles\r\nStage 2\r\nAfter loading the embedded configuration, Valley RAT queries the Windows registry for updated C2\r\ninfrastructure:\r\nPersistence\r\nIf the registry value exists and exceeds 10 bytes, Valley RAT completely replaces its embedded configuration,\r\nthen re-parses only the critical C2 parameters (p1 through t3). This allows Silver Fox operators to push updated\r\nC2 addresses without deploying new binaries or regaining code execution\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 11 of 23\n\nAfter the configuration is loaded. Valley RAT spawns its payload thread(StartAddress) which implements a 3 tier\r\nC2 communication loop.\r\nC2 Communication\r\nThe communication loop implements multi-tier failover by alternating between primary (p1) and secondary (p2)\r\nC2 servers, switching to tertiary (p3) after 200 failures. It supports both HTTP/HTTPS and raw TCP protocols,\r\nuses configurable beaconing intervals (cl:) to reduce detection, and delays initial connection (dd:) to evade\r\nsandboxes.\r\nUpon successful connection, Valley RAT sends a \"ready\" beacon (command ID: 4), enables keylogging if\r\nconfigured (kl: flag), and waits for C2 commands. This architecture maps to the discovered infrastructure:\r\nb[.]yuxuanow[.]top (103.20.195[.]147) as primary shellcode C2, with secondary/tertiary tiers rotating through\r\ndomains like itdd[.]club, gov-a[.]work, and xzghjec[.]com.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 12 of 23\n\nValley RAT implements a modular plugin architecture that enables dynamic capability extension through registry-based persistence. The malware stores downloaded plugins in\r\nHKCU\\Console\\0\\d33f351a4aeea5e608853d1a56661059 a registry value name consistent with Valley RAT's\r\nestablished fingerprint, following the MD5 hash naming convention observed across multiple Valley RAT\r\ncampaigns. The plugin manager operates in two modes: it either receives modules from the C2 server, allocates\r\nexecutable memory with PAGE_EXECUTE_READWRITE permissions, and persists the 2628-byte configuration\r\nplus payload code to the registry as REG_BINARY data, or it retrieves previously stored plugins from the registry,\r\nvalidates them against a hardcoded signature, and spawns execution threads. \r\nEach plugin includes a magic byte guard (0xC9) to prevent double-execution. This architecture allows Silver Fox\r\noperators to deploy specialized capabilities such as advanced keylogging, credential harvesting, or lateral\r\nmovement modules on-demand to compromised systems, with automatic persistence across reboots through\r\nregistry storage.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 13 of 23\n\nTracerpt Injection\r\nAfter downloading plugins from the C2 server, Valley RAT injects them into tracerpt.exe, a legitimate signed\r\nMicrosoft utility, using the same process hollowing. The malware creates the process in a suspended state, injects\r\nthe plugin code into its memory, and redirects execution to the malicious payload. Before injection, it patches the\r\nplugin with the same 4768-byte configuration containing C2 addresses and feature flags analyzed earlier.\r\nPivoting\r\nLet’s start with the C2 embedded within the decoy document “ggwk[.]cc”.\r\nThe C2 has 2 different titles over time, all of them in-line with the Income-tax-themed phishing lure, both from\r\nthe same ASN. However, there’s a common denominator - the favicon. \r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 14 of 23\n\nWe found 10+ domains that share the same favicon. If we look at the http response titles, we can see that all the\r\ntitles are Income-tax-themed. The results can be validated against VT to discover additional samples from this\r\ncampaign. Refer to the IOCs section below.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 15 of 23\n\nDiamond Model\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 16 of 23\n\nImpact\r\nHigh risk of long-term undetected compromise: Registry-resident plugins and delayed beaconing allow\r\nthe RAT to survive reboots while remaining low-noise.\r\nDynamic threat evolution post-infection: Attackers can upgrade capabilities (keylogging, credential\r\ntheft, lateral movement) without taking initial access again or malware redeployment.\r\nInfrastructure-based blocking is brittle: Tiered C2 failover and protocol switching reduce the\r\neffectiveness of static IP/domain blocking.\r\nReduced visibility for incident response: In-memory execution combined with registry-based persistence\r\ncomplicates timeline reconstruction and malware eradication.\r\nElevated data security risk: On-demand module delivery enables targeted credential harvesting and\r\nsurveillance tailored to victim role and value.\r\nRecommendations\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 17 of 23\n\nMonitor registry abuse as a persistence layer:\r\nAlert on executable REG_BINARY blobs and anomalous values under non-standard paths such as\r\nHKCU\\Console\\*, especially those written by user processes.\r\nDetect multi-tier C2 logic, not just domains:\r\nBuild detections for retry-heavy outbound connections, protocol switching (HTTP ↔ raw TCP), delayed\r\nfirst beacon, and repeated failures followed by fallback behavior.\r\nInstrument memory-permission anomalies:\r\nAlert on processes allocating PAGE_EXECUTE_READWRITE memory followed by thread creation,\r\nparticularly inside explorer.exe.\r\nHunt for signed binary + local DLL load patterns:\r\nCorrelate execution of signed binaries from temp directories with unsigned DLL loads and immediate child\r\nthread creation.\r\nTreat RAT feature enablement as an alerting signal: Monitor sudden activation of keylogging APIs,\r\ninteractive shell behavior, or file transfer operations within long-running, previously quiet processes.\r\nAppendix\r\nIOCs\r\nIndicator\r\nType\r\nIndicator Comments\r\nSha256\r\nHash\r\n77ea62ff74a66f61a511eb6b6edac20be9822fa9cc1e7354a8cd6379c7b9d2d2 Stage 1\r\nSha256\r\nHash\r\nfa388a6cdd28ad5dd83acd674483828251f21cbefaa801e839ba39af24a6ac19 Stage 2\r\nSha256\r\nHash\r\nf74017b406e993bea5212615febe23198b09ecd73ab79411a9f6571ba1f94cfa Stage 3\r\nSha256\r\nHash\r\n068e49e734c2c7be4fb3f01a40bb8beb2d5f4677872fabbced7741245a7ea97c Stage 4\r\nDomain ggwk[.]cc\r\nEmbedded Domain\r\nWithin Decoy\r\nAttachment\r\nDomain b[.]yuxuanow[.]top Shellcode C2\r\nIP 45.207.231[.]94\r\nResolution from\r\nggwk[.]cc\r\nIP 103.20.195[.]147\r\nResolution from\r\nb[.]yuxuanow[.]top\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 18 of 23\n\nSilver Fox Infrastructure Found After Pivoting\r\nIndicator Type Indicator IP Address\r\nDomain itdd[.]club 45.207.231[.]107\r\nDomain xzghjec[.]com 8.217.9[.]165\r\nDomain gov-a[.]work 160.124.9[.]103\r\nDomain gov-a[.]fit 160.124.9[.]103\r\nDomain gvo-b[.]club 160.124.9[.]103\r\nDomain gov-c[.]club 160.124.9[.]103\r\nDomain gov-a[.]club 160.124.9[.]103\r\nDomain govk[.]club 160.124.9[.]103\r\nDomain dingtalki[.]cn 47.239.225[.]43\r\nDomain hhiioo[.]cn 43.100.22[.]158\r\nDomain kkyui[.]club 43.100.22[.]158\r\nDomain hhimm[.]work 43.100.22[.]158\r\nDomain swjc2025bjkb[.]cn 43.100.123[.]207\r\nDomain 2025swmm[.]cn 43.100.123[.]207\r\nDomain hhiioo[.]work 43.100.63[.]145\r\nMITRE Mapping\r\nATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Evidence from Report\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nIncome-tax themed PDF delivered via\r\nemail\r\nInitial Access T1204.002\r\nUser Execution: Malicious\r\nFile\r\nUser opens PDF leading to payload\r\ndownload\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 19 of 23\n\nATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Evidence from Report\r\nExecution T1059\r\nCommand and Scripting\r\nInterpreter\r\nNSIS installer-driven execution logic\r\nExecution T1106 Native API\r\nUse of GetTempPathA, VirtualAllocEx,\r\nWriteProcessMemory\r\nExecution T1129 Shared Modules\r\nSigned Thunder.exe loads malicious\r\nDLL\r\nExecution T1620 Reflective Code Loading\r\nDonut-generated shellcode executed\r\nentirely from memory\r\nPersistence T1547.001\r\nRegistry Run Keys / Startup\r\nFolder\r\nRegistry-stored plugins persist across\r\nreboots\r\nPersistence T1112 Modify Registry\r\nConfiguration and plugins stored as\r\nREG_BINARY values\r\nDefense\r\nEvasion\r\nT1574.001 DLL Search Order Hijacking\r\nMalicious libexpat.dll loaded from\r\nwritable directory\r\nDefense\r\nEvasion\r\nT1218\r\nSigned Binary Proxy\r\nExecution\r\nAbuse of digitally signed third-party\r\nbinary\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nEncrypted payload (box.ini) decrypted\r\nat runtime\r\nDefense\r\nEvasion\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nAnti-debugging, resource checks,\r\nsandbox detection\r\nDefense\r\nEvasion\r\nT1562.001 Disable or Modify Tools\r\nStops Windows Update service\r\n(wuauserv)\r\nDiscovery T1057 Process Discovery\r\nEnumerates processes to detect analysis\r\ntools\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nSystem resource and environment\r\nchecks\r\nCommand and\r\nControl\r\nT1071.001 Web Protocols HTTP/HTTPS C2 communication\r\nCommand and\r\nControl\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nRaw TCP socket C2 supported via t*\r\nflags\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 20 of 23\n\nATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Evidence from Report\r\nCommand and\r\nControl\r\nT1105 Ingress Tool Transfer Plugins and modules delivered from C2\r\nCommand and\r\nControl\r\nT1573 Encrypted Channel Encrypted configuration and payloads\r\nCommand and\r\nControl\r\nT1008 Fallback Channels\r\nThree-tier C2 with failover after\r\nconnection failures\r\nCommand and\r\nControl\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nKeylogging and command responses\r\nsent over C2\r\nCollection T1056.001 Input Capture: Keylogging Keylogger enabled via kl feature flag\r\nImpact T1489 Service Stop Windows Update service disabled\r\nReferences\r\n*Intelligence source and information reliability - Wikipedia\r\n#Traffic Light Protocol - Wikipedia\r\nhttps://x.com/malwrhunterteam/status/2002002468612280755\r\nhttps://archive.ph/TJFVy\r\nValley RAT\r\nhttps://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/ \r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 21 of 23\n\nPrajwal is a Malware Analyst at Cloudsek, specializing in reverse engineering and threat intelligence. He focuses\r\non uncovering new threats through malware research, with a background in Offensive Security and Windows\r\nInternals.\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 22 of 23\n\nThreat Researcher at CloudSEK, specializing in digital forensics, incident response, and adversary hunting to\r\nuncover attacker motives, methods, and operations.\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nRelated Blogs\r\nPredict  Cyber Threats against your organization\r\nSource: https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nhttps://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures\r\nPage 23 of 23\n\n https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures \nWe found 10+ domains that share the same favicon. If we look at the http response titles, we can see that all the\ntitles are Income-tax-themed. The results can be validated against VT to discover additional samples from this\ncampaign. Refer to the IOCs section below. \n Page 15 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "report_names": [ "silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "threat_actors": [ { "id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3", "created_at": "2024-06-25T02:00:05.030976Z", "updated_at": "2026-04-10T02:00:03.656871Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "MISPGALAXY:Void Arachne", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9", "created_at": "2024-08-28T02:02:09.729503Z", "updated_at": "2026-04-10T02:00:04.967533Z", "deleted_at": null, "main_name": "Void Arachne", "aliases": [ "Silver Fox" ], "source_name": "ETDA:Void Arachne", "tools": [ "Gh0stBins", "Gh0stCringe", "HoldingHands RAT", "Winos" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434519, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/75c36cc5e49a2d788ec57a105cf273ef259d7e3e.pdf", "text": "https://archive.orkl.eu/75c36cc5e49a2d788ec57a105cf273ef259d7e3e.txt", "img": "https://archive.orkl.eu/75c36cc5e49a2d788ec57a105cf273ef259d7e3e.jpg" } }