SideWinder, Rattlesnake

Description

(Kaspersky) An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

Names

Name	Name-Giver
SideWinder	Kaspersky
Rattlesnake	Tencent
Razor Tiger	CrowdStrike
T-APT-04	Tencent
APT-C-17	Qihoo 360
Hardcore Nationalist	?
HN2	?
APT-Q-39	?
BabyElephant	?
GroupA21	?

Country

• India

Motivation

• Information theft and espionage

First Seen

2012

Observed Sectors

• Defense
• Government
• Maritime and Shipbuilding

Observed Countries

• Afghanistan
• Bangladesh
• Bhutan
• Cambodia
• China
• Djibouti
• Egypt
• Maldives
• Myanmar
• Nepal
• Pakistan
• Qatar
• Sri Lanka
• Turkey
• UAE
• Vietnam

Tools

• BroStealer
• callCam
• Capriccio RAT

Operations

• 2019-03: First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
• 2021-06: Old Snake, New Skin: Analysis of SideWinder APT activity between June and November 2021 https://www.group-ib.com/resources/research-hub/sidewinder-apt/
• 2022-03: SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to VT in the middle of March. https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
• 2022-05: Group-IB Threat Intelligence researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder https://blog.group-ib.com/sidewinder-antibot
• 2022-11: SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now Targeting Turkey https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan
• 2023-10: SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea
• 2024: SideWinder targets the maritime and nuclear sectors with an updated toolset https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/

Information

• https://securelist.com/apt-trends-report-q1-2018/85280/
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf
• https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c
• https://s.tencent.com/research/report/479.html
• https://s.tencent.com/research/report/659.html
• https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
• https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html
• https://www.neosecuretendencias2021.com/assets/pdfs/crowdstrike/2021%20Global%20Threat%20Report%20FINAL%20.pdf
• https://www.group-ib.com/blog/hunting-sidewinder/
• https://securelist.com/sidewinder-apt/114089/

Mitre Attack

• https://attack.mitre.org/groups/G0121/

Other Information

Uuid

4e925967-099e-4708-9bca-ade4890d847b

Last Card Change

2025-06-30