{ "id": "ddb7e031-6163-4c54-9e91-2334dfdfdabc", "created_at": "2026-04-06T00:17:48.037897Z", "updated_at": "2026-04-10T03:33:50.21428Z", "deleted_at": null, "sha1_hash": "afd144a2ebda4289999795c8842b2f6a23dda209", "title": "Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern Governments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 263390, "plain_text": "Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern\r\nGovernments\r\nBy Adrian McCabe\r\nPublished: 2019-02-21 · Archived: 2026-04-05 13:27:34 UTC\r\nExecutive Summary\r\nIn August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a\r\nthreat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles (here and here)\r\nwere released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX\r\nsystems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate\r\nadditional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at\r\na Middle Eastern government agency.\r\nSummary of Aggregated WINDSHIFT Attacker Activity\r\nThe following timeline summarizes validated WINDSHIFT activity through June of 2018.\r\nFigure 1: Known WINDSHIFT activity across main disclosure sources.\r\nAs shown within the timeline above, the WINDSHIFT activity observed by Unit 42 falls between January and\r\nMay of 2018.\r\nMiddle Eastern Government Agency Attack Timeline\r\nThe following is a summary of observed WINDSHIFT activity which targeted a Middle Eastern government\r\nagency:\r\nhttps://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/\r\nPage 1 of 4\n\nFigure 2: Unit 42 Observed WINDSHIFT samples.\r\nThe first attack occurred in early January of 2018 with an inbound WINDTAIL sample (the backdoor family used\r\nby WINDSHIFT) originating from the remote IP address 109.235.51[.]110 to a single internal IP address within\r\nthe government agency. As per the timeline in Figure 2, at the time this event occurred, the IP address\r\n109.235.51[.]110 was associated with the domain flux2key[.]com, a known WINDSHIFT domain. Upon further\r\nanalysis, Unit 42 determined the sample’s corresponding C2 server IP address was 109.235.51[.]153. At the time\r\nthis event occurred, that IP was associated with the domain string2me[.]com, which is a known WINDSHIFT\r\ndomain. While Unit 42 does not have any insight into the attempted infection methodology in this case, the actor’s\r\nTTPs would suggest that spearphishing was almost certainly involved.\r\nAfter the initial infection attempt, several additional WINDTAIL samples from the same external IP address,\r\n109.235.51[.]110, were directed at the same internal IP address from January through May of 2018 (see Figure 2\r\nfor additional details). All related WINDTAIL samples were Mac OSX app bundles in zip archives, which is\r\nconsistent with WINDSHIFT TTPS.\r\nOne sample in particular, named “mcworker.zip” (SHA256:\r\ne0fdcb5e0215f9fae485fbfcd615c79b85806827e461bca2e1c00c82e83281dc) deserves particular attention. Upon\r\nfurther analysis, Unit 42 determined its C2 server IP address was 185.25.50[.]189. According to OSINT, at the\r\ntime of the activity, the IP address 185.25.50[.]189 had one domain resolution: domforworld[.]com.\r\nConclusion\r\nBy analyzing this attack in detail, Unit 42 was able to gain valuable insight into the real-world TTPs of a known\r\nthreat actor group. Of particular importance are the following findings:\r\nUnit 42 assesses with high confidence that both the IP address 185.25.50[.]189 and the domain\r\ndomforworld[.]com is associated with WINDSHIFT activity. Additionally, the IP addresses\r\n109.235.51[.]110 and 109.235.51[.]153, corresponding to the previously validated WINDSHIFT domains\r\nflux2key[.]com and string2me[.]com, respectively, were also observed in use during this campaign.\r\nhttps://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/\r\nPage 2 of 4\n\nThe attacker-owned IP address 109.235.50[.]191 was subsequently identified in a Norman Security report\r\nfrom as being associated with Hangover threat actor activity, and both IP addresses 109.235.51[.]110 and\r\n109.235.50[.]191 shared the name “XENEUROPE” within their organizational registrant WHOIS\r\ninformation. This organizational name is tied to a number of IP addresses of Hangover-associated\r\ninfrastructure as per the Norman report. Collectively, this evidence serves to strengthen the implication\r\nfrom other security researchers that Operation Hangover and WINDSHIFT activity are possibly related.\r\nBased on Unit 42’s observations of multiple inbound WINDTAIL samples directed at the same internal IP\r\naddress, Unit 42 assesses with moderate confidence that the attackers were not able to establish persistence\r\nwithin the targeted environment. While Unit 42 cannot definitively determine the attempted delivery vector\r\nof these samples, WINDTAIL TTPs would indicate that it was likely standard spearphishing chicanery.\r\nOne of two of the Mac OSX developer certificates tied to the WINDTAIL samples shown in DarkMatter’s\r\noriginal presentation, Caren Van (4F9G49SUXB), was also tied to the WINDTAIL samples within this\r\nblog. Additionally, a newly identified certificate, warren portman (95RKE2AA8F), was found to be directly\r\naffiliated with WINDSHIFT malware.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nAutoFocus customers can track these samples with the Windshift tag.\r\nWildFire detects all files mentioned in this report with malicious verdicts.\r\nIOCs\r\nInfrastructure:\r\nDomain IP Address\r\nflux2key[.]com 109.235.51[.]110\r\nstring2me[.]com 109.235.51[.]153\r\ndomforworld[.]com 185.25.50[.]189\r\nFile Hashes:\r\nFile Name(s)\r\nApple\r\nDeveloper\r\nCertificate\r\n SHA-256\r\ntrusted.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\nce8e01373499b539f4746c0e68c850357476abe36b12834f507f9ba19af3d4f9\r\nmcworker.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\ne0fdcb5e0215f9fae485fbfcd615c79b85806827e461bca2e1c00c82e83281dc\r\nhttps://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/\r\nPage 3 of 4\n\nkeybaged.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\n1fbfbaefd50627796e7f16b8cc2b81ffbc5effcb33b64cc8e349e44b5d5d3ee8\r\ntrustb.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\n1de218e45cdf069c10d1a8735d82688b8964261a5efe3b6560e0fdcfa3c44c1d\r\nfrd.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\ndd0e0883392ffe8c72c4b13f58e5861fc2f4bc518a6abea4f81ae3a44b2eda1c\r\nsmdd.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\ne2a5663584727efa396c319f7f99a12205bb05c9c678ffae130e9f86667505a6\r\nlogd.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\nffae55894f0f31d99105b5b7bbbca79e9c1019b37b7a5a20368f50c173352fd1\r\nlogd.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\ncb3068ee887fc2f66d3df886421d5e5fa5e31ec4ee0079a7dcf9628bd2730de0\r\nlsd.zip\r\nCaren Van\r\n(4F9G49SUXB)\r\n0c0fce879c8ca00a6f9feeaccf6cba64374e508cacd664682e794a4a4cc64ffb\r\ntootoo.zip\r\nwarren portman\r\n(95RKE2AA8F)\r\n8c8b53f4d4836bd7d4574fe80039caf9f2bd4d75740f2e8e22619064c830c6d9\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nSource: https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/\r\nhttps://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/" ], "report_names": [ "shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bd4ed50-e116-494c-bb70-9587876663f1", "created_at": "2023-01-06T13:46:39.004062Z", "updated_at": "2026-04-10T02:00:03.178044Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "Windy Phoenix" ], "source_name": "MISPGALAXY:WindShift", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68f12936-2361-4720-87e1-b79a4fdbf1a0", "created_at": "2022-10-25T16:07:24.409855Z", "updated_at": "2026-04-10T02:00:04.978227Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "G0112", "Windy Phoenix" ], "source_name": "ETDA:WindShift", "tools": [ "WindTail" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434668, "ts_updated_at": 1775792030, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afd144a2ebda4289999795c8842b2f6a23dda209.pdf", "text": "https://archive.orkl.eu/afd144a2ebda4289999795c8842b2f6a23dda209.txt", "img": "https://archive.orkl.eu/afd144a2ebda4289999795c8842b2f6a23dda209.jpg" } }