{ "id": "93a7440c-a2bf-4a0d-8460-d9518a7375c1", "created_at": "2026-04-06T00:12:43.974685Z", "updated_at": "2026-04-10T03:37:20.288622Z", "deleted_at": null, "sha1_hash": "7d22cfe7119a4e4d8fef5a9d17855a5239d64dd6", "title": "SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 218781, "plain_text": "SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over\r\nthe Past 2 Years\r\nBy The Hacker News\r\nPublished: 2022-05-31 · Archived: 2026-04-05 15:29:03 UTC\r\nAn \"aggressive\" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new\r\nattacks since April 2020.\r\n\"Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer\r\nnumber, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated\r\nmalicious components used in their operations,\" cybersecurity firm Kaspersky said in a report that was presented\r\nat Black Hat Asia this month.\r\nSideWinder, also called Rattlesnake or T-APT-04, is said to have been active since at least 2012 with a track\r\nrecord of targeting military, defense, aviation, IT companies, and legal firms in Central Asian countries such as\r\nAfghanistan, Bangladesh, Nepal, and Pakistan.\r\nKaspersky's APT trends report for Q1 2022 published late last month revealed that the threat actor is actively\r\nexpanding the geography of its targets beyond its traditional victim profile to other countries and regions,\r\nhttps://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html\r\nPage 1 of 3\n\nincluding Singapore.\r\nSideWinder has also been observed capitalizing on the ongoing Russo-Ukrainian war as a lure in its phishing\r\ncampaigns to distribute malware and steal sensitive information.\r\nThe adversarial collective's infection chains are notable for incorporating malware-rigged documents that take\r\nadvantage of a remote code vulnerability in the Equation Editor component of Microsoft Office (CVE-2017-\r\n11882) to deploy malicious payloads on compromised systems. \r\nFurthermore, SideWinder's toolset employs several sophisticated obfuscation routines, encryption with unique\r\nkeys for each malicious file, multi-layer malware, and splitting command-and-control (C2) infrastructure strings\r\ninto different malware components.\r\nThe three-stage infection sequence commences with the rogue documents dropping a HTML Application (HTA)\r\npayload, which subsequently loads a .NET-based module to install a second-stage HTA component that's designed\r\nto deploy a .NET-based installer.\r\nThis installer, in the next phase, is both responsible for establishing persistence on the host and loading the final\r\nbackdoor in memory. The implant, for its part, is capable of harvesting files of interest as well as system\r\ninformation, among others.\r\nNo fewer than 400 domains and subdomains have been put to use by the threat actor over the past two years. To\r\nadd an additional layer of stealth, the URLs used for C2 domains are sliced into two parts, the first portion of\r\nhttps://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html\r\nPage 2 of 3\n\nwhich is included in the .NET installer and the latter half is encrypted inside the second stage HTA module.\r\n\"This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack\r\ntechniques,\" Noushin Shabab of Kaspersky said, urging that organizations use up-to-date versions of Microsoft\r\nOffice to mitigate such attacks.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html\r\nhttps://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html" ], "report_names": [ "sidewinder-hackers-launched-over-1000.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434363, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d22cfe7119a4e4d8fef5a9d17855a5239d64dd6.pdf", "text": "https://archive.orkl.eu/7d22cfe7119a4e4d8fef5a9d17855a5239d64dd6.txt", "img": "https://archive.orkl.eu/7d22cfe7119a4e4d8fef5a9d17855a5239d64dd6.jpg" } }