ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > SideWinder, Rattlesnake

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: SideWinder, Rattlesnake

NamesSideWinder (Kaspersky)
Rattlesnake (Tencent)
Razor Tiger (CrowdStrike)
T-APT-04 (Tencent)
APT-C-17 (Qihoo 360)
Hardcore Nationalist (?)
HN2 (?)
APT-Q-39 (?)
BabyElephant (?)
GroupA21 (?)
CountryIndia India
MotivationInformation theft and espionage
First seen2012
Description(Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
ObservedSectors: Defense, Government.
Countries: Afghanistan, Bangladesh, Bhutan, China, Egypt, Maldives, Myanmar, Nepal, Pakistan, Qatar, Sri Lanka, Turkey.
Tools usedBroStealer, callCam, Capriccio RAT.
Operations performedMar 2019First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
<https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/>
Jun 2021Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021
<https://www.group-ib.com/resources/research-hub/sidewinder-apt/>
Mar 2022SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to VT in the middle of March.
<https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/>
May 2022Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder
<https://blog.group-ib.com/sidewinder-antibot>
Nov 2022SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey
<https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan>
Oct 2023SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea
<https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea>
Information<https://securelist.com/apt-trends-report-q1-2018/85280/>
<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf>
<https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c>
<https://s.tencent.com/research/report/479.html>
<https://s.tencent.com/research/report/659.html>
<https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf>
<https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html>
<https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf>
<https://www.group-ib.com/blog/hunting-sidewinder/>
<https://securelist.com/sidewinder-apt/114089/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0121/>

Last change to this card: 24 October 2024

Download this actor card in PDF or JSON format

Previous: SideCopy
Next: Siesta

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]