{ "id": "0c23021f-238f-470e-85d0-8f6306f106c9", "created_at": "2026-04-06T00:16:44.025472Z", "updated_at": "2026-04-10T03:37:20.26699Z", "deleted_at": null, "sha1_hash": "9a2bd4114a37545bcd5499c08c33159808dc495f", "title": "Old Snake, New Skin: SideWinder APT Activity Analysis 2021 | Group-IB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 554325, "plain_text": "Old Snake, New Skin:\r\nAnalysis of SideWinder\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 1 of 7\n\nAPT activity in 2021\r\nGroup-IB Threat Intelligence team uncovered a previously undocumented\r\nspear phishing campaign carried out by APT SideWinder between June\r\nand November 2021. The new threat report details how SideWinder, also\r\nknown as Rattlesnake, Hardcore Nationalist (HN2), and T-APT4, attempted\r\nto target dozens of government organizations in the Asia-Pacific over a\r\nperiod of 6 months. Delve into the group’s entire arsenal, network\r\ninfrastructure, as well as its TTPs (Tactics, Techniques, and Procedures).\r\nKey highlights from SideWinder’s\r\nprolific 2021 campaign\r\n61 identified targets in the\r\ngovernment, military, financial,\r\nlaw enforcement, and political\r\nsectors\r\n5 countries\r\n(Afghanistan, Bhutan, Myanmar,\r\nNepal, Sri Lanka)\r\nwhere SideWinder carried out its\r\n2021 phishing campaign\r\nPhishing mimicking\r\ncryptocurrency\r\nindicates the group’s growing\r\ninterest in the crypto industry\r\nDownload report\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 2 of 7\n\nBabyElephant and SideWinder are most likely the same or\r\nclosely related APTs\r\nSuccessful 2020 attack on the\r\nMaldivian government\r\nattributed to SideWinder by\r\nGroup-IB\r\nTelegram has been used by SideWinder as\r\na channel for receiving the\r\nresults of the malware’s\r\ncommands\r\nBackground\r\nThe Group-IB Threat Intelligence team’s monitoring of state-sponsored\r\nthreat actors’ activity revealed some tools belonging to SideWinder that\r\nhad not been described in the public domain before. In addition to\r\ndetailing the functionality and techniques employed in SideWinder’s new\r\ntools, the report describes the phishing part of the group’s 2021\r\noperations based on backup archives obtained by Group-IB.\r\nThe archives contained several phishing projects designed to target\r\ngovernment, military, and law agencies in South and East Asia, among\r\nwhich were fake websites imitating the Central Bank of Myanmar and\r\nmore.\r\nDespite its long history, SideWinder continues to be one of the most\r\nactive state-sponsored hacker groups that pose a threat to governments\r\nin the Asia-Pacific region. The techniques and tools described in this\r\nreport are currently used by the group and therefore relevant.\r\nIn This Report\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 3 of 7\n\nTimeline\r\nThe Group-IB team was able to reconstruct an approximate timeline of\r\nSideWinder’s phishing operations.\r\nNew tools\r\nGroup-IB malware analysts revealed some tools used by SideWinder that\r\nwere previously unstated in the public domain.\r\nYARA rules\r\nThe new report contains YARA rules for hunting the group and a table\r\nwith the group’s TTPs (Tactics, Techniques, and Procedures) mapped to\r\nthe MITRE ATT\u0026CK® matrix, providing all the information companies and\r\norganizations needed to update their security controls to detect\r\nSideWinder.\r\nAdvanced protection against cyber\r\nthreats\r\nGroup-IB’s security ecosystem provides comprehensive protection for\r\nyour IT infrastructure based on our unique cyber intelligence and deep\r\nanalysis of attacks and incident response.\r\nThreat Intelligence Managed XDR\r\nAttack Surface\r\nManagement\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 4 of 7\n\nProducts Resources\r\nRelevant reports\r\nWe see the full picture of the evolving cyber threat landscape thanks to\r\nunique tools for monitoring the infrastructure used by cybercriminals and\r\ndata from battlefields:\r\nTrend Report\r\nHi-Tech Crime Trends 2022/2023\r\nBenefit from Group-IB’s flagship cybersecurity report and explore the current threat landscape trend\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 5 of 7\n\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 6 of 7\n\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/resources/research-hub/sidewinder-apt/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.group-ib.com/resources/research-hub/sidewinder-apt/" ], "report_names": [ "sidewinder-apt" ], "threat_actors": [ { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434604, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a2bd4114a37545bcd5499c08c33159808dc495f.pdf", "text": "https://archive.orkl.eu/9a2bd4114a37545bcd5499c08c33159808dc495f.txt", "img": "https://archive.orkl.eu/9a2bd4114a37545bcd5499c08c33159808dc495f.jpg" } }