ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > WindShift

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: WindShift

NamesWindShift (DarkMatter)
Windy Phoenix (Palo Alto)
Country[Unknown]
MotivationInformation theft and espionage
First seen2018
Description(Palo Alto) In August of 2018, DarkMatter released a report entitled “In the Trails of WindShift APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WindShift samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WindShift attack as it unfolded at a Middle Eastern government agency.
ObservedSectors: Government.
Countries: Middle East.
Tools usedWindTail.
Information<https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/>
<https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf>
MITRE ATT&CK<https://attack.mitre.org/groups/G0112/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=windyphoenix>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]