{
	"id": "ee1d70cf-82b3-40e3-ae74-4734b8b9c3e9",
	"created_at": "2026-04-06T00:15:42.295671Z",
	"updated_at": "2026-04-10T03:33:50.230264Z",
	"deleted_at": null,
	"sha1_hash": "d8f1166bd61a5dfe20d464af25a639856b306fb4",
	"title": "WINDSHIFT_summit_archive_1554718868",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 204783,
	"plain_text": "WINDSHIFT_summit_archive_1554718868\r\nArchived: 2026-04-05 23:22:01 UTC\r\n0% found this document useful (0 votes)\r\n3K views37 pages\r\nWindShift APT: Insights and Analysis\r\nYou are on page 1\r\n37\r\n \r\nTRAILS OF WINDSHIFT\r\nTAHA KARIM –MALWARE SPECIALIST\r\n1\r\n \r\nA little bit about me\r\n!\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 1 of 11\n\nCurrently I’m founder and CTO of tephracoreTechnologies\r\n!\r\nMalware Analysis for more than a decade.\r\n!\r\nPreviously worked at : Dark Matter, FireEye, Symantec ...\r\n!\r\nMost known for: –\r\nUncovering LatentBotIn 2015\r\n–\r\n A major carding investigation in 2016\r\n–\r\nMultiple intelligence reports 2011-2019\r\n–\r\nUncovering WindShiftAPT in 2018\r\n2\r\n \r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 2 of 11\n\nA little bit about my company\r\n!\r\nIn 2019, tephracoreTechnologies a cyber security startup was established in Dubai\r\n!\r\nWith the purpose of raising the bar very high against threat actors (their job wont be easy anymore)\r\n!\r\nWe are specialized in malware analysis, Incident Response, Vulnerability analysis, security testing, building APT\r\ndeception frameworks, and red team assessments and malware analysis training courses.\r\n!\r\nWe communicate via our technical blog see: https://tephracore.com/blog \r\n3\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 3 of 11\n\nContents\r\n!\r\nPart 1: APT Myths and Definitions\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 4 of 11\n\n!\r\nPart 2: WINDSHIFT Modus Operandi\r\n!\r\nPart 3: WINDSHIFT Attribution\r\n4\r\n \r\nPart 1: APT Myths and Definitions\r\n!\r\nDoes APT always means Advanced?\r\n–\r\nCase scenario: A target using unpatched Windows XP with no AV.\r\n!\r\nA very advanced toolset would be an overkill and comes with an unnecessary toolset exposure, whilst a simple\r\ntoolset will get the job done most of the times.\r\n!\r\nModern APT’s, Re-use of available tools, think copy-cat, evading attribution.\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 5 of 11\n\n!\r\nSimplicity always wins over complexity. Especially when time frames are shorts and/or budgets are limited.\r\n5\r\nMitre Att\u0026ck\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 6 of 11\n\nFrom Scribd9 pages17 views\r\nMitre Att\u0026ck\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 7 of 11\n\nNo ratings yet\r\n \r\nPart 1: APT Myths and Definitions\r\n6\r\nOPSEC\r\nEvasionEffectivenessUniquenessStealth\r\nSuccess Rate\r\nExfiltrationReachPersistenceIntel\r\nDetection\r\nCounter measures\r\nPredictability\r\nAdaptabilityNoise\r\nHow to measure an APT skill level\r\nOC1\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 8 of 11\n\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 9 of 11\n\nFrom Scribd2 pages7 views\r\nOC1\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 10 of 11\n\nNo ratings yet\r\nSource: https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nhttps://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868"
	],
	"report_names": [
		"WINDSHIFT-summit-archive-1554718868"
	],
	"threat_actors": [
		{
			"id": "6bd4ed50-e116-494c-bb70-9587876663f1",
			"created_at": "2023-01-06T13:46:39.004062Z",
			"updated_at": "2026-04-10T02:00:03.178044Z",
			"deleted_at": null,
			"main_name": "WindShift",
			"aliases": [
				"Windy Phoenix"
			],
			"source_name": "MISPGALAXY:WindShift",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "68f12936-2361-4720-87e1-b79a4fdbf1a0",
			"created_at": "2022-10-25T16:07:24.409855Z",
			"updated_at": "2026-04-10T02:00:04.978227Z",
			"deleted_at": null,
			"main_name": "WindShift",
			"aliases": [
				"G0112",
				"Windy Phoenix"
			],
			"source_name": "ETDA:WindShift",
			"tools": [
				"WindTail"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8",
			"created_at": "2022-10-25T15:50:23.6515Z",
			"updated_at": "2026-04-10T02:00:05.352078Z",
			"deleted_at": null,
			"main_name": "Windshift",
			"aliases": [
				"Windshift",
				"Bahamut"
			],
			"source_name": "MITRE:Windshift",
			"tools": [
				"WindTail"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775792030,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8f1166bd61a5dfe20d464af25a639856b306fb4.pdf",
		"text": "https://archive.orkl.eu/d8f1166bd61a5dfe20d464af25a639856b306fb4.txt",
		"img": "https://archive.orkl.eu/d8f1166bd61a5dfe20d464af25a639856b306fb4.jpg"
	}
}