{ "id": "2a245edc-c534-45ab-9085-a2805d9a9233", "created_at": "2026-04-06T00:18:45.268941Z", "updated_at": "2026-04-10T03:37:20.254226Z", "deleted_at": null, "sha1_hash": "e22831058918083986ead5c6bf0b60d70722be12", "title": "WarHawk: New APT backdoor from SideWinder | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3157049, "plain_text": "WarHawk: New APT backdoor from SideWinder | Zscaler\r\nBy Niraj Shivtarkar, Avinash Kumar\r\nPublished: 2022-10-21 · Archived: 2026-04-05 21:56:22 UTC\r\nRecently, Zscaler ThreatLabz discovered a new malware being used by the SideWinder APT threat group in\r\ncampaigns targeting Pakistan: a backdoor we’ve called “WarHawk.” SideWinder APT, aka Rattlesnake or T-APT4, is a suspected Indian Threat Actor Group active since at least 2012, with a history of targeting government,\r\nmilitary, and businesses throughout Asia, particularly Pakistan. The newly discovered WarHawk backdoor\r\ncontains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as\r\nKernelCallBackTable Injection and Pakistan Standard Time zone check in order to ensure a victorious campaign.\r\nZscaler’s ThreatLabz research team has performed an in-depth analysis of the WarHawk backdoor and its use in\r\nthreat campaigns below.\r\nKey Features of this Attack\r\nSideWinder APT campaign targets Pakistan with a new backdoor named “WarHawk”\r\nThe WarHawk Backdoor consists of four modules:\r\nDownload \u0026 Execute Module\r\nCommand Execution Module\r\nFile Manager InfoExfil Module\r\nUploadFromC2 Module\r\nWarHawk is commissioned to deliver Cobalt Strike as the final payload which has been downloaded and\r\nexecuted using the Download \u0026 Execute Module. \r\nThe custom Cobalt Strike loader used by the SideWinder APT leverages the KernelCallBackTable Process\r\ninjection (a technique previously used by FinFisher and Lazarus APT) to load the Cobalt Strike beacon,\r\nalong with a Time Zone check that makes sure that the loader is executed only when under Pakistan\r\nStandard Time.\r\nThe SideWinder APT makes use of ISO Files bundled with a LNK file, a decoy PDF displaying copies of\r\ncybersecurity advisories released by the Pakistan Cabinet Division (used as a lure), and the WarHawk\r\nbackdoor which is executed by the LNK File.\r\nWe discovered the ISO file hosted on the legitimate website of Pakistan's National Electric Power\r\nRegulatory Authority “nepra[.]org[.]pk” which may indicate a compromise of their web server.\r\nWe were able to attribute this campaign to the SideWinder APT based on the reuse of network\r\ninfrastructure that has previously been used by SideWinder for various espionage activities against\r\nPakistan.\r\nCampaign Analysis\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 1 of 27\n\nIn the month of September 2022, we came across an ISO File “32-Advisory-No-32.iso” hosted on the official\r\nwebsite of the Pakistan’s National Electric Power Regulatory Authority “nepra[.]org[.]pk.” NEPRA is\r\ncommissioned to provide safe, reliable, efficient and affordable electric power to the electricity consumers of\r\nPakistan. It is possible that this ISO file was uploaded to the server due to web server compromise.\r\nISO URL: https[:]//nepra[.]org[.]pk/css/32-Advisory-No-32[.]iso\r\nFig 1. National Electric Power Regulatory Authority Website\r\nWe then downloaded the ISO File from the above mentioned URL which consisted of the following bundled files.\r\n32-Advisory-No-32-2022.lnk - Malicious LNK File\r\n32-Advisory-No-32-2022.pdf - Decoy PDF\r\nRtlAudioDriver.exe - Malicious Binary\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 2 of 27\n\nFig 2. Contents of the Malicious ISO File\r\nThe .LNK File had a PDF icon to lure the victim into execution. Once the .LNK File is executed, it runs the\r\nmalicious binary “RtlAudioDriver.exe” along with the decoy PDF “32-Advisory-No-32-2022.pdf” to distract\r\nthe victims. It does so with the help of the command  shown in the following screenshot.\r\nFig 3. Execution of Malicious Binary \u0026 Decoy PDF via the LNK File\r\nFollowing is the Decoy PDF executed by the LNK File with the Subject: Phishing Site - Masqueraded Links\r\n(Advisory No. 32) in the screenshot below\r\n                                           Fig 4. Decoy PDF\r\nThe content for the PDF was copied from an actual advisory  previously released by the Cabinet Division of\r\nPakistan Government regarding the “Masqueraded Links used by the Malicious Actors in Phishing Campaigns”\r\non their official website cabinet[.]gov[.]pk\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 3 of 27\n\nLink:\r\nhttps[:]//cabinet[.]gov[.]pk/SiteImage/Misc/files/NTISB%20Advisories/2022/32-Advisory-No-32-2022[.]pdf\r\n        Fig 5. Original Advisory on Pakistan Government Cabinet Division Website\r\nAlongside the Decoy PDF, the Malicious binary “RtlAudioDriver.exe'' is also executed by the LNK File.\r\nA few days after this initial discovery, ThreatLabz came across another related ISO File named “33-Advisory-No-33-2022.pdf.iso” which similarly copied a real “Advisory No. 33” from the Pakistan Cabinet Website as a lure.\r\nThis ISO similarly consisted of three files, including aWindows Shortcut file commissioned to execute the binary\r\n“MSbuild.exe” and a decoy PDF “33-Advisory-No-33-2022.pdf” to fool the victims as shown in the screenshot\r\nbelow.\r\nFig 6. 33-Advisory-No-33-2022 Campaign\r\nUpon analyzing both the binaries “RtlAudioDriver.exe” and “MsBuild.exe,” we discovered that this was a new\r\nbackdoor added to the arsenal of the SideWinder APT Group. We termed it “WarHawk” Backdoor based on the\r\nCnC panel title, as shown in the below screenshot. In this case, the “MsBuild” binary is the newer version of the\r\nbackdoor, with a few additional features compared to “RtlAudioDriver” (the older one). Below, we will share our\r\nin-depth analysis to understand the inner workings of the WarHawk Backdoor.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 4 of 27\n\nFig 7. WarHawk CnC Panel\r\nAnalysis - WarHawk Backdoor\r\nThe “WarHawk Backdoor” disguises itself as legit applications to lure unsuspecting victims into execution, as\r\nshown in the screenshot below.\r\nFig 8. WarHawk Backdoor disguises as legit applications\r\nOnce executed, the WarHawk first enumerates the base address of the Kernel32.dll by iterating the\r\nInMemoryOrderModuleList linked list present in the Process Environment Block (PEB). The instructions it uses\r\nare shown in the screenshot below.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 5 of 27\n\nFig 9. Enumerate Base Address of Kernel32.dll via PEB\r\nOnce the base address of Kernel32.dll is enumerated, WarHawk then decrypts a set of API \u0026 DLL names using a\r\nString Decryption Routine which takes the Encrypted Hex Bytes as an input and then subtracts each byte with the\r\nKey: \"0x42\" in order to decrypt the string.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 6 of 27\n\nFig 10. String Decryption Routine - WarHawk\r\nLeveraging the decryption logic, we wrote a string decryptor for the WarHawk backdoor through which we were\r\nable to decrypt the following Strings from the Encrypted Hex Blobs:\r\nLoadLibraryA GetUserNameA GetCurrentHwProfileA\r\nAdvapi32 GetProcAddress GetComputerNameA\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 7 of 27\n\nFig 11. Decrypted Strings from the WarHawk String Decryptor\r\nInitially the WarHawk decrypts the LoadLibraryA and GetProcAddress API Names, then loops through all the\r\nexported functions from the Export Table and compares them with the decrypted function names. If the\r\ncomparison matches, it fetches the address of the corresponding function name—in this case, LoadLibraryA() and\r\nGetProcAddress().\r\nFig 12. Fetches the Address of the Decrypted Function Names\r\nNext, it decrypts the string “Advapi32'' and loads the Advapi32.dll into the virtual memory with the help of\r\nLoadLibraryA(). It then retrieves the address of the GetCurrentHWProfileA() function via the GetProcAddress()\r\nfrom the Advapi32.dll. Here, the GetCurrentHWProfileA string is decrypted via a similar string decryption\r\nroutine. After decryption, it executes the GetCurrentHWProfileA() to retrieve the GUID (Globally Unique\r\nIdentifier) for the hardware profile.\r\nFig 13. Retrieves the GUID for the hardware profile using GetCurrentHWProfileA \r\nThe retrieved GUID is then concatenated with the _hwid parameter in the following JSON format:\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 8 of 27\n\n{ \"_hwid\": \"{GUID}\" }\r\nAs shown in the screenshot below:\r\n Fig 14. GUID concatenated with the _hwid parameter\r\nFurther, the WarHawk Backdoor sends across an initial beacon POST request to the hardcoded Command \u0026\r\nControl Server “146[.]190[.]235[.]137” using the HTTPSendRequestW() with the GUID in the JSON format as\r\nits parameters and the request URL “/wh/glass.php,” as shown and explained in the screenshot below:\r\nFig 15. Initial Beacon Request to the CnC Server with the GUID\r\nNow it reads the response via InternetReadFile(). If the response is “0” in the newer sample and “1” in the older\r\nsample, it gathers the following System Information as mentioned below and then sleeps for 2 seconds:\r\n \r\nRetrieves the Computer/NetBios Name via GetComputerNameA()\r\nRetrieves the UserName via GetUserNameA()\r\nRetrieves the Windows Product Name from the “SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductName” Registry Key via the RegQueryValueExA()\r\nOnce all of the above mentioned system information has been gathered it is arranged in the following JSON\r\nformat using the similar wsprintf() method explained previously:\r\n{ \"_hwid\": \"{GUID}\", \"_computer\": \"Computer_Name\", \"_username\": \"User_Name\", \"_os\":\r\n\"Windows_Product_Name\" }\r\nIt then sends across the System information in the JSON format to the Command \u0026 Control server using the\r\nHTTPSendRequestW(), as shown and explained in the screenshot below:\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 9 of 27\n\nFig 16. Gathered System Information sent across to the CnC server\r\nAfter sending the System Information, it sends a JSON ping request to the Command and Control server as shown\r\nin the screenshot below, using the similar WinINet functions:\r\nFig 17. JSON Ping Request to the CnC Server\r\nIf the response to the JSON ping request is “del” as shown in the screenshot below, WarHawk skips the main\r\nmalicious functions and sends across a “_del”: “true” request to the Command and Control and then exits the\r\nprocess as shown in Fig 19.\r\nFig 18. JSON Ping Request to the CnC Server\r\nFig 19. Sends DEL Request and Exits the Process\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 10 of 27\n\nIf the response to the JSON ping request is not “del”, the WarHawk Backdoor executes the backdoor modules\r\nintegrated in WarHawk:\r\nDownload \u0026 Execute Module\r\nThis module is responsible for downloading and executing additional payloads from the remote URL provided by\r\nthe CnC server. At first, the WarHawk sends across a task initiation request to the Command and Control as shown\r\nin the screenshot below. This request is in the JSON format using a similar Send_Req function incorporating the\r\nWinINet functions.\r\nFig 20. WarHawk Task Initiation Request\r\nThe CnC responds to this request in the following JSON format with the id, type, and remote URL:\r\n{ \"_task\": \"true\", \"_id\": \"id_no\", \"_type\": \"type_no\", \"_url\": \"Remote_URL\" }\r\nIn the below screenshot, we can see the response from the CnC. It contains a remote URL that leads to the Stage-2\r\npayload, which would be downloaded and executed further by the backdoor.\r\nFig 21. Response to Task Initiation Request consisting of the Remote URL\r\nOnce the JSON response is received, the WarHawk then parses the parameters _id, _type and _url using an\r\nultralight weight JSON parser library “cJSON,” as shown below.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 11 of 27\n\nFig 22. Parse JSON Response parameters using cJSON\r\nFurther it checks the parsed _type parameter. If _type  value is “1” the backdoor downloads the additional\r\npayload from the parsed _url parameter containing the Remote URL, with the help of the URLDownloadToFileA\r\nfunction, into the Temp directory where the filename is randomly generated and concatenated with the extension\r\nprovided in the remote URL. Once the payload is downloaded the backdoor executes the downloaded payload\r\nwith the help of the ShellExecuteA() function.\r\nIf the _type is “2” then the payload must be a “Dynamic Link Library,” as in this case the payload is downloaded\r\nvia URLDownloadToFileA and then loaded into the virtual memory using LoadLibrary(). \r\nFinally, if the _type is “3,” then the process is similar to the _type value “1”. The only difference is that the\r\nprocess exits at the end through the ExitProcess() function.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 12 of 27\n\nFig 23. Download and Execute Additional Payloads from the Remote URL\r\nOnce the Stage-2 payload is downloaded and executed on the infected machine and the task is completed, the\r\nWarHawk sends across a Task Completion request to the Command and Control server in the following manner:\r\nFig 24. WarHawk Task Completion Request\r\nThus, in the following manner the additional payloads are downloaded and executed  from the Remote URL\r\nserved from the CnC server. In this case there are multiple payloads which are downloaded and executed by the\r\nWarHawk backdoor which are analyzed later in the blog.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 13 of 27\n\nCommand Execution Module\r\nThe command execution module is responsible for execution of system commands on the infected machine\r\nreceived from the Command \u0026 Control.  WarHawk starts by sending across the Command Execution Initiation\r\nrequest with the GUID of the system as shown in the screenshot below.\r\nFig 25. WarHawk Command Execution Initiation Request\r\nThe response to this Initiation request consists of the command to be executed. Let’s analyze the routine assuming\r\nthat the received command is “whoami”. The received command is passed as an argument to the CMD.exe\r\nprocess which has been spawned using ShellExecuteA. The command arguments passed to the CMD.exe process\r\ncan be seen in the screenshot below.\r\nFig 26. WarHawk Command Execution \r\nIn this case, the output of the command received from the CnC “whoami” is stored in a “.bin” file in the Temp\r\ndirectory where the file name is generated using a random name generator function, as shown above.\r\nFurther, this “.bin” file in the Temp Directory is read using ReadFile() and then deleted to clear its tracks. The\r\ncommand output content is then base64 encoded, arranged in the following JSON format, and then sent across to\r\nthe Control Control server 146[.]190[.]235[.]137 using HttpSendRequestW():\r\n{ \"_hwid\": \"GUID\", \"_cmd_done\": \"true\", “_response”:”base64enc_cmd_output”}\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 14 of 27\n\nFig 27. Sending Command Output response to CnC Server\r\nIf there is no output of the command executed on the machine, it sets the _response parameter as “0” in the JSON\r\nresponse. \r\nThus, in the following manner the WarHawk performs the command execution routine where it receives the\r\ncommands from the Command and Control and the backdoor executes them and sends the output to the CnC in an\r\nbase64 encoded platform. Here the routine executes in a loop until the response to the JSON Ping request is not\r\n“del,” allowing the Threat actors to execute multiple commands on the infected machine.\r\nFile Manager InfoExfil Module\r\nThe following module is responsible for gathering and sending across the File Manager information by initially\r\nsending across an Module initiation request to the CnC server as shown below:\r\nFig 28. File Manager Initiation Request\r\nNow if the response to the initiation request is “drive” the WarHawk determines the drive type by looping\r\nthrough the drive letters from A-Z. Itfirst checks whether the drive exists with the help of PathFileExistsA(); if it\r\nexists, it then fetches the drive type using GetDriveTypeA() such as DRIVE_FIXED or DRIVE_REMOVABLE as\r\nshown and explained in the below screenshot:\r\nFig 29. Determine Drive Type\r\nAfter this, the gathered information consisting of the existing drives and their types is sent across to the CnC in the\r\nfollowing JSON format:\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 15 of 27\n\nFig 30. Drive Information sent across to CnC in JSON Format\r\nFurther if the response to the initiation request is a Directory Path such as “C:\\Dump\\,” then the backdoor\r\nsearches in the following directory for files and folders recursively using FindFirstFileA() and FindNextFileA().\r\nWhilst performing the recursion it fetches the File Name, File size, Modification date, File Type, and then towards\r\nthe end sends across all the information to the CnC Server in the JSON format:\r\nFig 31. WarHawk sends across File/Folder information to CnC in JSON Format\r\nUploadFromC2 Module\r\nThe following module is a new feature added in the latest WarHawk Backdoor (MsBuild.exe),  allowing the threat\r\nactor to upload files on the infected machine from the Command and Control Server. Initially the UploadFromC2\r\nModule sends across a routine initiation request to the CnC server in the following JSON format:\r\nFig 32. UploadFromC2 Module initiation request\r\nThe response to this request should be a JSON response received  from the CnC server consisting of following\r\ntwo parameters:\r\n \r\n1. _upload - File name of the target file to be uploaded on the infected machine from the CnC server\r\n2. _path - Path where the target uploaded file is to be saved on the infected machine\r\nFurther the JSON response is parsed using the previously used cJSON Library, and then the _upload value is\r\nconcatenated with the hardcoded CnC URL: http[:]\\\\146[.]190[.]235[.]137\\wh. For example, if _upload =\r\n“stage2.exe,” the final URL becomes http[:]\\\\146[.]190[.]235[.]137\\wh\\stage2.exe. The WarHawk then downloads\r\nthe file from the final CnC URL: http[:]\\\\146[.]190[.]235[.]137\\wh\\stage2.exe using URLDownloadToFileA() and\r\nwrites it to the current directory using the same file name “stage2.exe” (or, if the  _path value exists, it writes the\r\ndownloaded file to that path as shown in the routine below):\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 16 of 27\n\nFig 33. UploadFromC2 Module Routine\r\nAs can be seen from the screenshot, if the file has been downloaded successfully the WarHawk backdoor then\r\nsends a JSON request to the CnC Server with “_uploadstatus”:“true” and if not sends across\r\n“_uploadstatus”:”false”.\r\nIn the following way the WarHawk Backdoor performs its espionage activities by incorporating various modules. \r\nStage 2 Analysis\r\nBased on the analysis of the WarHawk backdoor, we are aware that the backdoor has the capability to download\r\nand execute additional payloads. While tracking the SideWinder’s espionage campaign we came across WarHawk\r\ndownloading three additional Stage-2 Payloads from the Command and Control at the time of writing this blog.\r\nBelow, we analyze the Stage-2 Payloads downloaded by WarHawk.\r\nSnitch.exe - Cobalt Strike Loader using KernelCallbackTable Process Injection\r\nThe WarHawk downloads and executes the Cobalt Strike Loader using the Download \u0026 Execution Module from\r\nCnC URL: http[:]//146[.]190[.]235[.]137/Snitch.exe. Once executed the Loader performs the following Anti-Analysis checks:\r\nAnti-Sandbox:\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 17 of 27\n\n-  Checks whether the Numbers of Processors are at least two using GetSystemInfo() \r\n-  Checks Minimum RAM using GlobalMemoryStatusEx()\r\n-  Checks whether the Hard Disk drive size is greater than 40GB via sending a\r\nIOCTL_DISK_GET_DRIVE_GEOMETRY control code to the PhysicalDrive0 via DeviceIoControl\r\nTime-Zone Check: The Loader performs the Time Zone Check using\r\nGetDynamicTimeZoneInformation(), It inspects whether the time zone under which the code executed is\r\n“Pakistan Standard Time;” if not, the loader does not perform any malicious actions and exits the\r\nprocess. From this check we can deduce that the malware is specifically targeted towards Pakistan by the\r\nSideWinder APT Group:\r\nFig 34. Anti-Analysis Checks\r\nOnce all the Anti-Analysis Checks are satisfied, the loader then unhooks the NTDLL.dll (hooked) by mapping\r\nanother fresh copy of NTDLL using MapViewOfFile() in memory and then replaces the .text section of the\r\nhooked NTDLL with the .text section of the fresh NTDLL. This technique allows the Loader to evade Userland\r\nAPI hooks placed on the Native API’s by EDRs.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 18 of 27\n\nFig 35. NTDLL UnHooking\r\nFurther the loader performs the KernelCallbackTable Process Injection in order to inject shellcode into a remote\r\nprocess. This technique was previously used by FinFisher and Lazarus APT Group, but now is also used by\r\nSideWinder APT. The process injection code in this case has been reused from the following blog as can be seen\r\nin the screenshot below:\r\nFig 36.  Reused KernelCallbackTable Process Injection Routine\r\nNow once initiated the Loader injects the shellcode in the remote process “notepad.exe” and then executes the\r\npayload when the SendMessageW function is called with WM_COPYDATA, which in turn invokes\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 19 of 27\n\nfnCOPYDATA which points to the address of the payload. The following sample was crashing once executed but\r\nupon patching a few instructions related to WaitForInputIdle() function we were able to execute it seamlessly and\r\nthen debug the shellcode which then decrypted and loaded the embedded binary in the virtual memory. We further\r\ndumped the loaded binary which was a Cobalt Strike Beacon as seen in the screenshot below:\r\nFig 37.  Cobalt Strike Beacon Injected into the Remote Process via KernelCallbackTable Process Injection\r\nFurther we found multiple similar CS Loaders and extracted the configuration for the Cobalt Strike Beacons:\r\n \r\nBeacon Type: Hybrid HTTP DNS\r\nCobalt Strike C2: fia-gov[.]org\r\n \r\nFig 38.  Cobalt Strike Configuration - 1\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 20 of 27\n\nOneDrive.exe and DDRA.exe - Cobalt Strike Beacons\r\nAlong with the CS Loader, both of these payloads were also downloaded and executed from the CnC Server URL:\r\nhttp[:]//146[.]190[.]235[.]137/OneDrive.exe and http[:]//146[.]190[.]235[.]137/DDRA.exe. We extracted the\r\nconfiguration for both the Cobalt Strike beacons with similar CnC servers as seen in the screenshot below:\r\nDDRA.exe - \r\nBeacon Type: Hybrid HTTP DNS\r\nCobalt Strike C2: fia-gov[.]org\r\nFig 39.  Cobalt Strike Configuration - 2\r\nOneDrive.exe\r\nBeacon Type: Hybrid HTTP DNS\r\nCobalt Strike C2: fia-gov[.]org\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 21 of 27\n\nFig 40.  Cobalt Strike Configuration - 3\r\nThe CnC server domain: fia-gov[.]org used by the SideWinder APT mimics the domain name of Pakistan’s\r\nFederal Investigation Agency fia[.]gov[.]pk which is the premier agency of Pakistan at national level to\r\ninvestigate federal crimes.\r\nAlso we found another similar CS Loader sample with the CnC server as: customs-lk[.]org, in this case it mimics\r\nthe domain name of Sri Lanka Customs customs[.]gov[.]lk, possibly a SideWinder campaign targeting Sri Lanka.\r\nThe “campaign_id” in this case is similar to the CS Loader analyzed previously as can be seen in the screenshot\r\nbelow.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 22 of 27\n\nFig 41.  Cobalt Strike Configuration - 4\r\nAttribution to SideWinder APT\r\nSideWinder APT is reckoned as a Indian Threat Actor Group predominantly targeting Pakistan. We were able to\r\nattribute the following campaign to the SideWinder APT based on the network infrastructure as shown below in\r\nthe graph.\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 23 of 27\n\nFig 42.  SideWinder Network Infrastructure\r\nAs can be seen in the above screenshot, the IP: 3[.]239[.]29[.]103 hosts the domains “fia-gov[.]org” and\r\n“customs-lk[.]org” which were the CnC servers for the Cobalt Strike beacons in the following campaign as\r\nshown earlier. Now if we take a look at the following other domains hosted on the same IP:\r\nnationalhelpdesk[.]pk\r\nmofa-pk[.]org\r\nsngpl[.]org[.]pk\r\n \r\nThese domains were previously reported and were actively used by the SideWinder APT Group for espionage\r\ncampaigns. Based on the reuse of the network infrastructure we can deduce that this WarHawk campaign is also\r\nperformed by the SideWinder APT Group targeting Pakistan.\r\nThe indicators listed below also assist us in determining that the campaign is targeted at Pakistan:\r\n \r\n ISO files hosted on the Pakistan’s National Electric Power Regulatory Authority website\r\nAdvisories released by the Pakistan’s Cabinet Division used as a lure\r\nTime Zone check for “Pakistan Standard Time” which makes sure that the malware is only executed under\r\nPakistan Standard Time.\r\nZscaler Sandbox Coverage:\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 24 of 27\n\nFig. 43 The Zscaler Cloud Sandbox successfully detected the WarHawk backdoor\r\nWin32.Backdoor.WarHawk\r\nConclusion\r\nThe SideWinder APT Group is continuously evolving their tactics and adding new malware to their arsenal in\r\norder to carry out successful espionage attack campaigns against their targets. The Zscaler ThreatLabz team will\r\ncontinue to monitor these attacks to help keep our customers safe\r\nMITRE ATT\u0026CK TTP MAPPING\r\n \r\nID TACTIC  TECHNIQUE \r\nT1566 Initial Access Phishing\r\nT1190 Initial Access Exploit Public Facing Application\r\nT1204  Execution User Execution\r\nT1059 Execution Command and Scripting Interpreter\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 25 of 27\n\nT1140 Defense Evasion Deobfuscate/Decode Files or Information\r\nT1564 Defense Evasion Hide Artifacts\r\nT1055 Defense Evasion Process Injection\r\nT1071.001  Command and Control Application Layer Protocols - Web Protocols \r\nT1041 Exfiltration Exfiltration over C2 Channel\r\nIoCs:\r\nISO:\r\n32-Advisory-No-32.iso: d510808a743e6afc705fc648ca7f896a\r\nURL: nepra[.]org[.]pk/css/32-Advisory-No-32[.]iso\r\n33-Advisory-No-33-2022.pdf.iso: 63d6d8213d9cc070b2a3dfd3c5866564\r\nWarHawk Backdoor:\r\nWarHawk_v1: 8f9cf5c828cb02c83f8df52ccae03e2a\r\nWarHawk_v1.1: 5cff6896e0505e8d6d98bff35d10c43a\r\nCnC: 146[.]190[.]235[.]137/wh/glass[.]php\r\nCobalt Strike:\r\nSnitch.exe CS Loader: ec33c5e1773b510e323bea8f70dcddb0\r\nURL: 146[.]190[.]235[.]137/Snitch[.]exe\r\nOneDrive.exe CS Beacon: d0acccab52778b77c96346194e38b244\r\nURL: 146[.]190[.]235[.]137/OneDrive[.]exe\r\nDDRA.exe CS Beacon: 40f86b56ab79e94893e4c6f1a0a099a1\r\nURL: 146[.]190[.]235[.]137/DDRA[.]exe\r\nCobalt Strike CnC: fia-gov[.]org \u0026 customs-lk[.]org\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 26 of 27\n\nSource: https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nhttps://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group" ], "report_names": [ "warhawk-new-backdoor-arsenal-sidewinder-apt-group" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434725, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e22831058918083986ead5c6bf0b60d70722be12.pdf", "text": "https://archive.orkl.eu/e22831058918083986ead5c6bf0b60d70722be12.txt", "img": "https://archive.orkl.eu/e22831058918083986ead5c6bf0b60d70722be12.jpg" } }