WindShift
Description
(Palo Alto) In August of 2018, DarkMatter released a report entitled “In the Trails of WindShift APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WindShift samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WindShift attack as it unfolded at a Middle Eastern government agency.
Names
| Name | Name-Giver |
|---|---|
| WindShift | DarkMatter |
| Windy Phoenix | Palo Alto |
Country
Motivation
- Information theft and espionage
First Seen
2018
Observed Sectors
Observed Countries
Tools
Information
- https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/
- https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
Mitre Attack
Playbook
Other Information
Uuid
b75fd09b-c1ba-4b08-8adc-61925e605e78
Last Card Change
2024-03-10