{ "id": "ac24fd4d-392c-41ed-a1e3-b4697d07fb14", "created_at": "2026-04-06T15:53:35.540515Z", "updated_at": "2026-04-10T13:11:18.82388Z", "deleted_at": null, "sha1_hash": "97ef2edc56fa5160e0f89c3caefccd4d0b6c3ea3", "title": "Analysis on Sidewinder APT Group - COVID-19 - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76356, "plain_text": "Analysis on Sidewinder APT Group - COVID-19 - Rewterz\r\nPublished: 2020-06-22 · Archived: 2026-04-06 15:48:18 UTC\r\nIntroduction\r\nHardcore Nationalist group SideWinder is a threat group active since 2012 according to Kaspersky. This group mainly\r\ntargets Pakistanis and Chinese military \u0026 government entities’ windows machines. They also target mobile phone devices.\r\nThis is the second time this group is using COVID-19 theme to lure victims, thereby capitalizing on the fear of global\r\npandemic. Sidewinder aka HN2 is believed to be an Indian state sponsored group. A detailed analysis of SideWinder attacks\r\non Pakistani military officials was also published in April.\r\nMITRE ATT\u0026CK Table\r\nFigure 1: SidWinder Mapping Attack Categories with MITRE ATT\u0026CK\r\nAnalysis of SideWinder APT Group\r\nFile Identity\r\nProperty Value\r\nFile Name OnlinePolicyGuide.pdf\r\nFile Type PDF\r\nFile Info PDF document, version 1.5\r\nFile Size 102.70 KB (105160 bytes)\r\nMD5 8ae9cc797c2f3ec3eca3b54a2e70edf1\r\nSHA-1 6c878840bd899936974a0364a2297b658beaeda9\r\nSHA-256 65c42fef3df4a2b4974e9a1c907fa79b6c2cd96406c309b0963f358fc4a7c23a\r\nVirus Total Score 0/61\r\nHybrid Analysis Score More than 10% Risk Factor\r\nProperty Value\r\nFile Name file.hta\r\nFile Type HTML executable file\r\nFile Info HTML document  ASCII text\r\nFile Size 322.46 KB (330200 bytes)\r\nMD5 30398787041EFA25E1632A29D4F7730B\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 1 of 8\n\nSHA-1 6B0B86897990A254F2FE4C6DF869A1276F10B407\r\nSHA-256 36b653ede8d68fbb9a9343507aa437125e5915655fe12763dbb109c97bed617b\r\nVirus Total Score 3/60\r\nHybrid Analysis Score More than 16% Risk Factor\r\nProperty Value\r\nFile Name rekeywiz.exe\r\nFile Type Win32 EXE\r\nFile Info PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nFile Size 322.46 KB (330200 bytes)\r\nMD5 082ed4a73761682f897ea1d7f4529f69\r\nSHA-1 4f77bda9714d009b16e6a13f88b3e12caf0a779d\r\nSHA-256 fa86b5bc5343ca92c235304b8dcbcf4188c6be7d4621c625564bebd5326ed850\r\nVirus Total Score 0/70\r\nHybrid Analysis Score More than 10% Risk Factor\r\nSummary of Analysis\r\nAs per the analysis of the file received by the Air University Online Teaching Intimation, the artifacts found belong to a\r\nwell-known Indian SideWinder APT group. This APT group has been working in the interest of Indian government,\r\ntargeting Pakistani government officials through their latest campaign with a decoy document related to online teaching\r\nduring COVID-19 pandemic.\r\nFigure 2: Dependency Flow of Malware File\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 2 of 8\n\nFigure 3: Malware File Basic Properties\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 3 of 8\n\nCharacteristics\r\nThe following characteristics were found during the analysis:\r\n1. When the victim opened the PDF file, it was observed that the PDF downloaded another decoyed document over\r\nHTTP (.hta file) in the background from the URL below.\r\n”http://www.au-edu.km01s.net/cgi/8ee4d36866/16914/11662/eeef4361/file[.]hta. \r\nAfter reviewing the PCAP file as shown below:\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 4 of 8\n\n2. Once an HTA file is downloaded in the victim system, it then drops another payload from the URL to  encrypt certain\r\nfiles and folders mentioned below.\r\na) As per the source code review of .HTA file, it was found that the file contains JavaScript obfuscated code with the\r\nencoding of base 64. In order to de-obfuscate the source code, we have to decode the encoded parameters first. \r\ni) First, we decoded the key value, to decode the completely obfuscated code parameters.\r\nb) After decoding the key value, we get the ASCII String “3110648411” in strings from the following line:\r\nc) Now we can use the main key to decode the whole parameters of this JavaScript code. After using the key, we move\r\ntowards the decoding of Var X Function encoded parameters. \r\nWe have found the URL http://www.au-edu.km01s.net/plugins/16914/11662/true/true[/] which means this hta file is also\r\ntrying to communicate on the suspicious link and the line in the encoded format is defined below:\r\nd) On further decoding from the code we have found that this file is intended to create another process instance in line\r\nmentioned below\r\ne) After observing the above characteristics, we have searched for the exact file parameters. We found that the source file\r\ntried to create another file in the directory of “temp” with an anonymous name having the extension of .hta with the usage of\r\nmshta.exe process. As you can see in the hex view of decoded parameter taken from the line of Var SO:\r\nf) The same hex value is found with another process i.e. intended to drop in the directory after its creation as shown in the\r\nimage below:\r\ng) In addition, after some other lines we have found that there is another process “csc.exe” is called in the parameter, which\r\nis used to perform CLI based compilation.\r\nh) It also uses “ActiveXObject” utility to help in its execution through Microsoft products and internet browsers. The\r\nActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating\r\nsystems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE\r\nAutomation objects to allow communication with them.\r\nHence, It was identified that the attacker used multiple obfuscation techniques, which are techniques used by attackers to\r\nhide the attack, to avoid detection and to make it difficult to decode the key string and actual payload and command\r\ninstruction.\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 5 of 8\n\n3. Static analysis of rekeywiz.exe revealed that it uses built-in function “ShellExecuteW” in which the document name\r\nis passed in lpfile parameters for which the execution will be performed as shown below.\r\n4. Further analysis concluded that the rekeywiz.exe was also using another function which is used for the encryption of\r\nfile system, named as “SetUserFileEncryptionKeyEx”. The purpose of this function is to encrypt the files and folders:\r\nDependencies:\r\nFollowing are the dependencies observed in the malware code and required user interaction for execution.\r\n1. It was observed that this malware didn’t provide Auto Run/Auto Execute functionality. However, the victim needs to\r\nmanually open the pdf to execute and download the other .hta and payload.\r\n2. This malware was designed and is compatible with the Windows environment only. Otherwise, it is useless.\r\n3. Hta file is also dependent on the Microsoft .Net Framework v2.0.50727 / v4.0.30319.\r\n4. Reykeywiz.exe dropper file needs to create its entity in the registry entries of Remote access service address.\r\nFollowing is the complete process-working graph for this attack.\r\nBehavioral Findings through Analysis\r\nFollowing are the behavior of the malicious files,\r\nWhen the victim opens the pdf document, it shows all the information about the notification related to policy\r\nguidelines, which are for the online classes going to be held in Air University. The display below further clarifies it.\r\nIn the background, it makes a connection with a suspicious IP Address “185.163.45.199” to download .hta \u0026 Payload. \r\nAfter fetching the .hta file, it needs to be opened and once it accidentally runs it will first look for the windows\r\nenvironment, and after that it will look for the Microsoft .NET framework v2.0.50727 and v4.0.30319.\r\nAfter checking the perfect  environment  it will drop the executable file with the name of rekeywiz.exe in the\r\ndirectory “C:\\ProgramData\\font2Files” created by the hta file itself for the dropper as shown below:\r\nOnce the dropper drops, it will also be responsible for some registry changes in the directory of\r\n“Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Tracing” which is used to allow\r\nthe process to establish remote access network connection (RAS). Entries are defined below:\r\nRegistry Value\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASAPI32 %windir%\\tracin\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASMANCS 0\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 6 of 8\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASMANCS 0\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASMANCS 4294901760\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASMANCS 1048576\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASMANCS %windir%\\tracin\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASAPI32 1048576\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASAPI32 4294901760\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASAPI32 4294901760\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\rekeywiz_RASAPI32 0\r\nAs already shown in the above screenshot, registry changes will surely occur when rekeywiz.exe drops in the system and\r\nexecutes itself for intentional damage.\r\nBy reviewing the logs, in the directory “C:\\WINDOWS\\tracing” and the log file name as “rekerywiz_RASAPI32.log” and\r\n“rekeywiz_RASMANC.log”, we find that the first log file is generated and as the malware was not properly executed in the\r\nsandbox environment created for analysis so it does not show plenty of information. Furthermore, you can also get\r\ninformation from these log files defined below:\r\nAfter every step, finally the dropper itself uses shell execution technique and encryption for which it is designed.\r\nRemediation\r\nIn order to remediate following points are defined below:\r\n1. Block subjected URL http://www.au-edu.km01s.net.\r\n2. Remove the registry changes defined in the behavioral findings.\r\n3. Search for the reykeywiz.exe in the directory of “C:\\Program Data\\font2Files” and remove the file.\r\n4. Disable EFS encryption in windows.\r\nBeware of social engineering techniques employed by cyber criminals—including strategies used in phishing emails,\r\nimpersonated calls, and fraudulent businesses and domains— to identify and respond to a suspected compromise.\r\nThe above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case you have any\r\nmalware samples/binaries that need to be analyzed, Rewterz is here to help.\r\nConclusion\r\nIt is concluded after in-depth analysis that a malicious pdf file attempts to connect to a random public IP address to\r\ndownload other supporting components of malware in the form of .hta extension file. This file .hta is actually playing the\r\ndropper role in this infection cycle, which generates calls to download malicious executable (rekeywiz.exe). The core\r\ncomponents of this malware are file.hta and rekeywiz.exe. Rekeywiz.exe encrypts the system files if the .net framework\r\nexistence fulfills the dependency of file.hta\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 7 of 8\n\nSource: https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nhttps://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" ], "report_names": [ "analysis-on-sidewinder-apt-group-covid-19" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775490815, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97ef2edc56fa5160e0f89c3caefccd4d0b6c3ea3.pdf", "text": "https://archive.orkl.eu/97ef2edc56fa5160e0f89c3caefccd4d0b6c3ea3.txt", "img": "https://archive.orkl.eu/97ef2edc56fa5160e0f89c3caefccd4d0b6c3ea3.jpg" } }